Kedro has Arbitrary Code Execution via Malicious Logging Configuration

### Impact This is a **critical Remote Code Execution (RCE)** vulnerability caused by unsafe use of `logging.config.dictConfig()` with user-controlled input. Kedro allows the logging configuration file path to be set via the `KEDRO_LOGGING_CONFIG` environment variable and loads it without validation. The logging configuration schema supports the special `()` key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. --- ### Patches The vulnerability is fixed by introducing validation that rejects the unsafe `()` factory key in logging configurations before passing them to `dictConfig()`. #### Fixed in - Kedro 1.3.0 Users should upgrade to this version as soon as possible. --- ### Workarounds If upgrading is not immediately possible: - Do not allow untrusted input to control the `KEDRO_LOGGING_CONFIG` environment variable - Restrict write access to logging configuration files - Avoid using externally supplied or dynamically generated logging configs - Manually validate logging YAML to ensure it does not contain the `()` key These mitigations reduce risk but do not fully eliminate it.