mmaitre314 · mmaitre314 · Sep 13, 2024 · Sep 13, 2024 · Sep 13, 2024
diff --git a/setup.cfg b/setup.cfg
@@ -1,6 +1,6 @@
 [metadata]
 name = picklescan
-version = 0.0.16
+version = 0.0.17
 author = Matthieu Maitre
 author_email = [email protected]
 description = Security scanner detecting Python Pickle files performing suspicious actions

diff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py
@@ -114,10 +114,13 @@ def __str__(self) -> str:
     "socket": "*",
     "subprocess": "*",
     "sys": "*",
+    "shutil": "*",
     "runpy": "*",  # Includes runpy._run_code
     "operator": "attrgetter",  # Ex of code execution: operator.attrgetter("system")(__import__("os"))("echo pwned")
     "pickle": "*",
     "_pickle": "*",
+    "bdb": "*",
+    "pdb": "*",
 }
 
 #

diff --git a/tests/data/malicious14.pkl b/tests/data/malicious14.pkl
diff --git a/tests/data/malicious15a.pkl b/tests/data/malicious15a.pkl
diff --git a/tests/data/malicious15b.pkl b/tests/data/malicious15b.pkl
diff --git a/tests/test_scanner.py b/tests/test_scanner.py
@@ -1,4 +1,5 @@
 import aiohttp
+import bdb
 import http.client
 import importlib
 import io
@@ -89,6 +90,15 @@ def __reduce__(self):
         return runpy._run_code, ("print('456')",)
 
 
+class Malicious15:
+    def __reduce__(self):
+        bd = bdb.Bdb()
+        return bdb.Bdb.run, (
+            bd,
+            'import os\nos.system("whoami")',
+        )
+
+
 class HTTPResponse:
     def __init__(self, status, data=None):
         self.status = status
@@ -345,6 +355,8 @@ def initialize_pickle_files():
     initialize_pickle_file(
         f"{_root_path}/data/malicious14.pkl", Malicious14(), 4
     )  # runpy
+    initialize_pickle_file(f"{_root_path}/data/malicious15a.pkl", Malicious15(), 2)
+    initialize_pickle_file(f"{_root_path}/data/malicious15b.pkl", Malicious15(), 4)
 
     initialize_zip_file(
         f"{_root_path}/data/malicious1.zip",
@@ -590,6 +602,7 @@ def test_scan_directory_path():
             Global("__builtin__", "dict", SafetyLevel.Suspicious),
             Global("__builtin__", "apply", SafetyLevel.Dangerous),
             Global("__builtin__", "getattr", SafetyLevel.Dangerous),
+            Global("__builtin__", "getattr", SafetyLevel.Dangerous),
             Global("__builtin__", "globals", SafetyLevel.Suspicious),
             Global("requests.api", "get", SafetyLevel.Dangerous),
             Global("builtins", "eval", SafetyLevel.Dangerous),
@@ -610,10 +623,13 @@ def test_scan_directory_path():
             Global("pickle", "loads", SafetyLevel.Dangerous),
             Global("_pickle", "loads", SafetyLevel.Dangerous),
             Global("_codecs", "encode", SafetyLevel.Suspicious),
+            Global("bdb", "Bdb", SafetyLevel.Dangerous),
+            Global("bdb", "Bdb", SafetyLevel.Dangerous),
+            Global("bdb", "Bdb.run", SafetyLevel.Dangerous),
         ],
-        scanned_files=28,
-        issues_count=26,
-        infected_files=23,
+        scanned_files=30,
+        issues_count=30,
+        infected_files=25,
         scan_err=True,
     )
     compare_scan_results(scan_directory_path(f"{_root_path}/data/"), sr)