Eve has a Comparison of Incompatible Types that Results in Invalid State in pyeve/eve

Valid

Reported on

Nov 1st 2022


Description

A conditional statement that always resolves to False.

Proof of Concept

// eve/methods/common.py
        if (
            field in document
            and document[field] is not None
            and document[field] is not []  # Always resolves to False
        ):
            related_links = []

Impact

The nested code block will never execute, resulting in invalid data.

Occurrences

Comparing the value of document[field] to an empty list [] using the is not comparison operator will always resolve to False. The != comparison operator should be used to evaluate this statement.

We are processing your report and will contact the pyeve/eve team within 24 hours. a month ago
Evan Ottinger submitted a
a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
Evan Ottinger
a month ago

Researcher


Thank you. The issue has been closed. The maintainer has added SECURITY.md to the repository.

We have contacted a member of the pyeve/eve team and are waiting to hear back 25 days ago
pyeve/eve maintainer
23 days ago

Maintainer


Please submit a PR. I'll be happy to review it.

Evan Ottinger submitted a
23 days ago
Evan Ottinger
23 days ago

Researcher


I’ve submitted a patch for your review.

Evan Ottinger
23 days ago

Researcher


@admin - can you donate my bounty to the maintainer?

We have sent a follow up to the pyeve/eve team. We will try again in 7 days. 22 days ago
pyeve/eve maintainer validated this vulnerability 21 days ago
Evan Ottinger has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyeve/eve maintainer gave praise 21 days ago
Thank you.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Evan Ottinger
21 days ago

Researcher


@maintainer my pleasure!

Evan Ottinger
21 days ago

Researcher


@admin I would like to request a CVE if this qualifies.

Evan Ottinger submitted a
21 days ago
Evan Ottinger submitted a
21 days ago
Evan Ottinger
21 days ago

Researcher


Sorry for the multiple patch submissions...I'm new lol.

Do I still need to create a PR on GitHub?

pyeve/eve maintainer
21 days ago

Maintainer


nope, I already patched it. Will release in a couple days.

Evan Ottinger
21 days ago

Researcher


Great--thank you!

Pavlos
19 days ago

Admin


@maintainer feel free to mark it as fixed, the report won't be made public :)

pyeve/eve maintainer marked this as fixed in 2.0.4 with commit 71689d 18 days ago
Evan Ottinger has been awarded the fix bounty
This vulnerability will not receive a CVE
common.py#L760 has been validated
pyeve/eve maintainer published this vulnerability 18 days ago
to join this conversation