Re: CVE request: maliciously crafted notebook files in Jupyter

[Gordo Lowrey <gordo () zeneval com>]

Obviously, running a python notebook from an untrusted party is a bad 
idea, since notebooks are litearlly code executors...

Sure, there is something to be said about *javascript* execution... but 
there are a plethora of addons for Python notebooks that generate 
Javascript on-demand. Especially for visualizations, etc...

Why is this a "vulnerability" necessarily?

Just curious...


On Mon, Mar 19, 2018 at 7:53 AM, Ricter Zheng <ricterzheng () gmail com> 
wrote:
> Hi Thomas Klutver,
>
> I am a student from china major in information security, I'm very 
> interest
> about the vulnerability. I tried to reproduction the vulnerability but
> failed, so can you provide some technology detail about it?
>
> Thank you.
> --
> Ricter Zheng
>
> Thomas Kluyver <thomas () kluyver me uk>于2018年3月15日周四 
> 下午10:27写道：
>
> >  Email address of requester: security () ipython org, 
> > thomas () kluyver me uk,
> >  benjaminrk () gmail com, jkamens () quantopian com, 
> > ssanderson () quantopian com
> >
> >  Software name: Jupyter Notebook (formerly IPython Notebook)
> >  Type of vulnerability: Maliciously forged file
> >  Attack outcome: Possible remote execution
> >
> >  Vulnerability: A maliciously forged notebook file can bypass 
> > sanitization
> >  to execute Javascript in the notebook context. Specifically, 
> > invalid HTML
> >  is 'fixed' by jQuery after sanitization, making it dangerous.
> >
> >  Affected versions:
> >
> >  - notebook ≤ 5.4.0
> >
> >  URI with issues:
> >
> >  - GET /notebook/**
> >
> >  Patches:  not yet finalised
> >
> >  Mitigations:
> >
> >  Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
> >  If using pip,
> >
> >      pip install --upgrade notebook
> >
> >  For conda:
> >
> >      conda update conda
> >      conda update notebook
> >
> >  Vulnerability reported by vkgonka () mail ru , via Jonathan Kamens at
> >  Quantopian
> >
> >  --
> Ricter Z