Skip to content

feat: verify S225 @g5n-dev bounty — NO, duplicate of S120#348

Open
xliry wants to merge 4 commits intopeteromallet:mainfrom
xliry:task-537-lota-1
Open

feat: verify S225 @g5n-dev bounty — NO, duplicate of S120#348
xliry wants to merge 4 commits intopeteromallet:mainfrom
xliry:task-537-lota-1

Conversation

@xliry
Copy link

@xliry xliry commented Mar 7, 2026

Issue: #204
Submission: #204 (comment)
Author: @g5n-dev

Problem (in our own words)

S225 reports that discovery.py:95-106 auto-loads and executes arbitrary Python files from the scan target's .desloppify/plugins/ directory via importlib.util.spec_from_file_location() + exec_module(), without user consent, sandboxing, or signature verification. This creates an RCE vector when scanning untrusted repositories.

Evidence

  • desloppify/languages/_framework/discovery.py:95-106load_all() globs *.py from get_project_root() / ".desloppify" / "plugins" and executes them via spec.loader.exec_module(mod) with no validation
  • desloppify/base/discovery/paths.pyget_project_root() resolves to the scan target directory
  • Failures logged at DEBUG level only, suppressing visibility

Fix

No fix needed — verdict is NO (duplicate of S120).

Verdict

Question Answer Reasoning
Is this poor engineering? YES Auto-executing code from a scan target without consent violates the trust model of a code analysis tool
Is this at least somewhat significant? YES RCE via plugin auto-loading is a real security concern

Final verdict: NO

The vulnerability is real and well-described, but S120 (@optimus-fulcria, 2026-03-05T10:10:19Z) reported the identical issue — same file, same code lines, same vulnerability class — nearly 22 hours earlier. S126 and S146 also pre-date this submission.

Scores

Criterion Score
Significance 6/10
Originality 1/10
Core Impact 5/10
Overall 2/10

Summary

The submission accurately identifies that discovery.py auto-loads arbitrary Python from .desloppify/plugins/ without consent or sandboxing, creating an RCE vector. However, this exact vulnerability was reported by @optimus-fulcria as S120 approximately 22 hours earlier, making S225 a duplicate with no originality credit.

Why Desloppify Missed This

  • What should catch: A security-focused static analyzer or taint analysis tool tracking exec_module() calls on user-controlled paths
  • Why not caught: Desloppify analyzes code quality patterns, not security-specific data flow or taint tracking
  • What could catch: Bandit (S310/S603), Semgrep rules for dynamic module loading, or a custom rule flagging exec_module on paths derived from user input

Verdict Files

Generated with Lota

xliry and others added 4 commits March 7, 2026 03:58
@xliry @claude
feat: verify S003 @juzigu40-ui bounty — NO verdict, duplicate of S313…
71d2f95 
… (#451)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@xliry
reset: clean old verdict files for fresh re-verification
6d4c2b2
@xliry @claude
feat: verify S012 @taco-devs bounty — YES_WITH_CAVEATS, detail god fi…
5c13eac 
…eld confirmed (#456)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@xliry @claude
feat: verify S225 @g5n-dev bounty — NO verdict, duplicate of S120 (#537)
2e30722 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@peteromallet peteromallet mentioned this pull request Mar 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xliry