bug: upgrade mechanism uses Python file import as IPC, enabling arbitrary code execution via crafted .py files on USB

[RockyOmvi]

Describe the bug

The upgrade mechanism communicates between versions by writing Python .py files (upgraded_from.py, upgraded_to.py) containing dict/string literals to disk, then immediately importing them. This is executed Python code by design — an attacker who can write to the app directory can inject arbitrary code that runs with the application's privileges.

The EXE_DIR is often on a USB drive (since BusKill is designed to run from a USB kill cord), making physical write access a realistic threat scenario.

Code reference

src/packages/buskill/__init__.py:782-783,832-833:

from upgraded_from import UPGRADED_FROM
...
from upgraded_to import UPGRADED_TO

src/packages/buskill/__init__.py:2198-2206:

with open( os.path.join( new_version_exe_dir, 'upgraded_from.py' ), 'w' ) as fd:
    fd.write( 'UPGRADED_FROM = ' +str(contents) )
...
with open( os.path.join( self.EXE_DIR, 'upgraded_to.py' ), 'w' ) as fd:
    fd.write( 'UPGRADED_TO = ' +str(self.UPGRADED_TO) )

Expected behavior

Use a safe serialization format like json or configparser instead of writing and importing Python source files. For example:

# Write
import json
with open(path, 'w') as f:
    json.dump({'UPGRADED_FROM': contents}, f)

# Read
with open(path) as f:
    data = json.load(f)
    UPGRADED_FROM = data['UPGRADED_FROM']

Severity

High — arbitrary code execution via crafted .py files on the USB drive.

[maltfield]

Thanks for the report :)

since BusKill is designed to run from a USB kill cord
...
High — arbitrary code execution via crafted .py files on the USB drive.

Just to clarify, BusKill does not run from the USB drive. The install instructions require the user to copy the files to the computer:

• https://buskill.in/start

[maltfield]

I'm reading this as "someone who has write access to the buskill files can change buskill code". I don't really understand why that's a vulnerability?

If you install BusKill in apt, for example, you're going to get a bunch of sourcecode files on your computer

user@disp3760:~$ sudo apt-get install buskill
...
user@disp3760:~$ 

user@disp3760:~$ dpkg-query -L buskill | grep -iE '.py$'
/usr/share/buskill/buskill_cli.py
/usr/share/buskill/buskill_gui.py
/usr/share/buskill/buskill_version.py
/usr/share/buskill/main.py
/usr/share/buskill/packages/buskill/__init__.py
/usr/share/buskill/packages/buskill/root_child_mac.py
/usr/share/buskill/packages/garden/navigationdrawer/__init__.py
/usr/share/buskill/packages/garden/progressspinner/__init__.py
user@disp3760:~$ 

Of course, anyone with write access to those files can modify these files and execute code arbitrarily with the application's privileges. I don't think that's a vulnerability. We trust the user.

[maltfield]

Please note that we also have a policy not to include contributions from AI:

• https://github.com/BusKill/buskill-app/blob/f21531dd9e5c40958520109cf6b0dcc484081fbf/CONTRIBUTING.md#ai-policy

Can you please indicate if, for any of the several bug reports you just submitted, you wrote this code yourself -- or if you used AI to write the code?

[RockyOmvi]

@maltfield — thanks for the thoughtful reply! A few things:

1. On the severity: You're right that physical/USB write access is the same threat model as modifying any installed file. I'd still argue import-from-writable-file is riskier than json.load because a single corrupted byte in a .py file can produce different executed code (not just a parse error), but I concede this is a defense-in-depth concern rather than a practical vulnerability given BusKill's threat model. Feel free to close as not applicable.
2. On AI use: To be transparent — The bugs themselves (the hardcoded git path, the null lparam, the thread safety issue, the bare excepts, the exit code) are real findings confirmed by reading the source, but the reports were assembled with AI assistance. If that violates your contribution policy, I apologize and will respect whatever action you take (closing the issues, etc.).