Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-39700 PoC — Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action

Source
https://github.com/LOURC0D3/CVE-2024-39700-test
Associated Vulnerability
Title:Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action (CVE-2024-39700)
Description:JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to `update-integration-tests.yml`, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions while working on the upgrade. We recommend rebasing all open pull requests from untrusted users as actions may run using the version from the `main` branch at the time when the pull request was created. Users who are upgrading from template version prior to 4.3.0 may wish to leave out proposed changes to the release workflow for now as it requires additional configuration.
Readme
# CVE_2024_39700_PoC

[![Github Actions Status](https://github.com/LOURC0D3/CVE-2024-39700-test/workflows/Build/badge.svg)](https://github.com/LOURC0D3/CVE-2024-39700-test/actions/workflows/build.yml)

CVE-2024-39700 Proof of Concept

This extension is composed of a Python package named `CVE_2024_39700_PoC`
for the server extension and a NPM package named `CVE-2024-39700-PoC`
for the frontend extension.

## Requirements

- JupyterLab >= 4.0.0

## Install

To install the extension, execute:

```bash
pip install CVE_2024_39700_PoC
```

## Uninstall

To remove the extension, execute:

```bash
pip uninstall CVE_2024_39700_PoC
```

## Troubleshoot

If you are seeing the frontend extension, but it is not working, check
that the server extension is enabled:

```bash
jupyter server extension list
```

If the server extension is installed and enabled, but you are not seeing
the frontend extension, check the frontend extension is installed:

```bash
jupyter labextension list
```

## Contributing

### Development install

Note: You will need NodeJS to build the extension package.

The `jlpm` command is JupyterLab's pinned version of
[yarn](https://yarnpkg.com/) that is installed with JupyterLab. You may use
`yarn` or `npm` in lieu of `jlpm` below.

```bash
# Clone the repo to your local environment
# Change directory to the CVE_2024_39700_PoC directory
# Install package in development mode
pip install -e ".[test]"
# Link your development version of the extension with JupyterLab
jupyter labextension develop . --overwrite
# Server extension must be manually installed in develop mode
jupyter server extension enable CVE_2024_39700_PoC
# Rebuild extension Typescript source after making changes
jlpm build
```

You can watch the source directory and run JupyterLab at the same time in different terminals to watch for changes in the extension's source and automatically rebuild the extension.

```bash
# Watch the source directory in one terminal, automatically rebuilding when needed
jlpm watch
# Run JupyterLab in another terminal
jupyter lab
```

With the watch command running, every saved change will immediately be built locally and available in your running JupyterLab. Refresh JupyterLab to load the change in your browser (you may need to wait several seconds for the extension to be rebuilt).

By default, the `jlpm build` command generates the source maps for this extension to make it easier to debug using the browser dev tools. To also generate source maps for the JupyterLab core extensions, you can run the following command:

```bash
jupyter lab build --minimize=False
```

### Development uninstall

```bash
# Server extension must be manually disabled in develop mode
jupyter server extension disable CVE_2024_39700_PoC
pip uninstall CVE_2024_39700_PoC
```

In development mode, you will also need to remove the symlink created by `jupyter labextension develop`
command. To find its location, you can run `jupyter labextension list` to figure out where the `labextensions`
folder is located. Then you can remove the symlink named `CVE-2024-39700-PoC` within that folder.

### Testing the extension

#### Server tests

This extension is using [Pytest](https://docs.pytest.org/) for Python code testing.

Install test dependencies (needed only once):

```sh
pip install -e ".[test]"
# Each time you install the Python package, you need to restore the front-end extension link
jupyter labextension develop . --overwrite
```

To execute them, run:

```sh
pytest -vv -r ap --cov CVE_2024_39700_PoC
```

#### Frontend tests

This extension is using [Jest](https://jestjs.io/) for JavaScript code testing.

To execute them, execute:

```sh
jlpm
jlpm test
```

#### Integration tests

This extension uses [Playwright](https://playwright.dev/docs/intro) for the integration tests (aka user level tests).
More precisely, the JupyterLab helper [Galata](https://github.com/jupyterlab/jupyterlab/tree/master/galata) is used to handle testing the extension in JupyterLab.

More information are provided within the [ui-tests](./ui-tests/README.md) README.

### Packaging the extension

See [RELEASE](RELEASE.md)
File Snapshot

 [4.0K]  /data/pocs/1dd55353cb982639a7da1fdb2e40c30d726e64ec
├── [  68]  babel.config.js
├── [  86]  CHANGELOG.md
├── [ 206]  conftest.py
├── [ 451]  copier-answers.yml
├── [4.0K]  CVE_2024_39700_PoC
│   ├── [ 794]  handlers.py
│   ├── [1.1K]  __init__.py
│   └── [4.0K]  tests
│       ├── [  48]  __init__.py
│       └── [ 311]  test_handlers.py
├── [ 197]  install.json
├── [ 608]  jest.config.js
├── [4.0K]  jupyter-config
│   └── [4.0K]  server-config
│       └── [  93]  CVE_2024_39700_PoC.json
├── [1.5K]  LICENSE
├── [6.7K]  package.json
├── [2.6K]  pyproject.toml
├── [4.0K]  README.md
├── [2.3K]  RELEASE.md
├── [  33]  setup.py
├── [4.0K]  src
│   ├── [1.1K]  handler.ts
│   ├── [ 741]  index.ts
│   └── [4.0K]  __tests__
│       └── [ 193]  CVE_2024_39700_PoC.spec.ts
├── [4.0K]  style
│   ├── [ 138]  base.css
│   ├── [  25]  index.css
│   └── [  21]  index.js
├── [ 537]  tsconfig.json
├── [  80]  tsconfig.test.json
├── [4.0K]  ui-tests
│   ├── [ 397]  jupyter_server_test_config.py
│   ├── [ 435]  package.json
│   ├── [ 340]  playwright.config.js
│   ├── [3.7K]  README.md
│   ├── [4.0K]  tests
│   │   └── [ 537]  CVE_2024_39700_PoC.spec.ts
│   └── [   0]  yarn.lock
└── [368K]  yarn.lock

9 directories, 32 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →