漏洞平台

POC详情： 1dd55353cb982639a7da1fdb2e40c30d726e64ec

来源

https://github.com/LOURC0D3/CVE-2024-39700-test

关联漏洞

标题： JupyterLab 安全漏洞 (CVE-2024-39700)
描述：JupyterLab是JupyterLab开源的一个用于交互式和可重复计算的可扩展环境，基于 Jupyter Notebook 和架构。 JupyterLab 4.3.3之前版本存在安全漏洞，该漏洞源于存在远程代码执行。

介绍

# CVE_2024_39700_PoC

[![Github Actions Status](https://github.com/LOURC0D3/CVE-2024-39700-test/workflows/Build/badge.svg)](https://github.com/LOURC0D3/CVE-2024-39700-test/actions/workflows/build.yml)

CVE-2024-39700 Proof of Concept

This extension is composed of a Python package named `CVE_2024_39700_PoC`
for the server extension and a NPM package named `CVE-2024-39700-PoC`
for the frontend extension.

## Requirements

- JupyterLab >= 4.0.0

## Install

To install the extension, execute:

```bash
pip install CVE_2024_39700_PoC
```

## Uninstall

To remove the extension, execute:

```bash
pip uninstall CVE_2024_39700_PoC
```

## Troubleshoot

If you are seeing the frontend extension, but it is not working, check
that the server extension is enabled:

```bash
jupyter server extension list
```

If the server extension is installed and enabled, but you are not seeing
the frontend extension, check the frontend extension is installed:

```bash
jupyter labextension list
```

## Contributing

### Development install

Note: You will need NodeJS to build the extension package.

The `jlpm` command is JupyterLab's pinned version of
[yarn](https://yarnpkg.com/) that is installed with JupyterLab. You may use
`yarn` or `npm` in lieu of `jlpm` below.

```bash
# Clone the repo to your local environment
# Change directory to the CVE_2024_39700_PoC directory
# Install package in development mode
pip install -e ".[test]"
# Link your development version of the extension with JupyterLab
jupyter labextension develop . --overwrite
# Server extension must be manually installed in develop mode
jupyter server extension enable CVE_2024_39700_PoC
# Rebuild extension Typescript source after making changes
jlpm build
```

You can watch the source directory and run JupyterLab at the same time in different terminals to watch for changes in the extension's source and automatically rebuild the extension.

```bash
# Watch the source directory in one terminal, automatically rebuilding when needed
jlpm watch
# Run JupyterLab in another terminal
jupyter lab
```

With the watch command running, every saved change will immediately be built locally and available in your running JupyterLab. Refresh JupyterLab to load the change in your browser (you may need to wait several seconds for the extension to be rebuilt).

By default, the `jlpm build` command generates the source maps for this extension to make it easier to debug using the browser dev tools. To also generate source maps for the JupyterLab core extensions, you can run the following command:

```bash
jupyter lab build --minimize=False
```

### Development uninstall

```bash
# Server extension must be manually disabled in develop mode
jupyter server extension disable CVE_2024_39700_PoC
pip uninstall CVE_2024_39700_PoC
```

In development mode, you will also need to remove the symlink created by `jupyter labextension develop`
command. To find its location, you can run `jupyter labextension list` to figure out where the `labextensions`
folder is located. Then you can remove the symlink named `CVE-2024-39700-PoC` within that folder.

### Testing the extension

#### Server tests

This extension is using [Pytest](https://docs.pytest.org/) for Python code testing.

Install test dependencies (needed only once):

```sh
pip install -e ".[test]"
# Each time you install the Python package, you need to restore the front-end extension link
jupyter labextension develop . --overwrite
```

To execute them, run:

```sh
pytest -vv -r ap --cov CVE_2024_39700_PoC
```

#### Frontend tests

This extension is using [Jest](https://jestjs.io/) for JavaScript code testing.

To execute them, execute:

```sh
jlpm
jlpm test
```

#### Integration tests

This extension uses [Playwright](https://playwright.dev/docs/intro) for the integration tests (aka user level tests).
More precisely, the JupyterLab helper [Galata](https://github.com/jupyterlab/jupyterlab/tree/master/galata) is used to handle testing the extension in JupyterLab.

More information are provided within the [ui-tests](./ui-tests/README.md) README.

### Packaging the extension

See [RELEASE](RELEASE.md)

文件快照


 [4.0K]  /data/pocs/1dd55353cb982639a7da1fdb2e40c30d726e64ec
├── [  68]  babel.config.js
├── [  86]  CHANGELOG.md
├── [ 206]  conftest.py
├── [ 451]  copier-answers.yml
├── [4.0K]  CVE_2024_39700_PoC
│   ├── [ 794]  handlers.py
│   ├── [1.1K]  __init__.py
│   └── [4.0K]  tests
│       ├── [  48]  __init__.py
│       └── [ 311]  test_handlers.py
├── [ 197]  install.json
├── [ 608]  jest.config.js
├── [4.0K]  jupyter-config
│   └── [4.0K]  server-config
│       └── [  93]  CVE_2024_39700_PoC.json
├── [1.5K]  LICENSE
├── [6.7K]  package.json
├── [2.6K]  pyproject.toml
├── [4.0K]  README.md
├── [2.3K]  RELEASE.md
├── [  33]  setup.py
├── [4.0K]  src
│   ├── [1.1K]  handler.ts
│   ├── [ 741]  index.ts
│   └── [4.0K]  __tests__
│       └── [ 193]  CVE_2024_39700_PoC.spec.ts
├── [4.0K]  style
│   ├── [ 138]  base.css
│   ├── [  25]  index.css
│   └── [  21]  index.js
├── [ 537]  tsconfig.json
├── [  80]  tsconfig.test.json
├── [4.0K]  ui-tests
│   ├── [ 397]  jupyter_server_test_config.py
│   ├── [ 435]  package.json
│   ├── [ 340]  playwright.config.js
│   ├── [3.7K]  README.md
│   ├── [4.0K]  tests
│   │   └── [ 537]  CVE_2024_39700_PoC.spec.ts
│   └── [   0]  yarn.lock
└── [368K]  yarn.lock

9 directories, 32 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。