Skip to content

Unflattening auxiliary variables for secagg does not check instantiated class type #1252

New issue
New issue
Open
Open
Unflattening auxiliary variables for secagg does not check instantiated class type#1252
Labels
bugthis issue is about reporting and resolving a suspected bugcandidatean individual developer submits a work request to the team (extension proposal, bug, other request)
@mvesin

Description

@mvesin
mvesin
opened on Nov 26, 2024

When using auxiliary variables with secagg, the researcher needs to unflatten module-wise cleartext values.
For that purpose it instantiates an object from an AuxVar subtype, the class of the subtype being sent by the nodes

fedbiomed/fedbiomed/common/optimizers/_secagg.py

Line 185 in 56b1419

return aux_cls.from_dict(fields) 

        return aux_cls.from_dict(fields)

Problem: researcher does not check the received class received through the network is a valid and existing class (a subclass of AuxVar that really exists on the researcher.

This may give way to a malicious attacker to execute arbitrary code by sending another class name.
If confirmed, we may need to add check for class names in clear_cls

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugthis issue is about reporting and resolving a suspected bugcandidatean individual developer submits a work request to the team (extension proposal, bug, other request)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions