Fix critical RCE via deserialization and eval() in /crawl endpoint

- Replace raw eval() in _compute_field() with AST-validated _safe_eval_expression() that blocks __import__, dunder attribute access, and import statements while preserving safe transforms - Add ALLOWED_DESERIALIZE_TYPES allowlist to from_serializable_dict() preventing arbitrary class instantiation from API input - Update security contact email and add v0.8.1 security fixes to SECURITY.md with researcher acknowledgment - Add 17 security tests covering both fixes
2026-01-30 08:46:01 +00:00
parent ad5ebf166a
commit 0104db6de2
4 changed files with 288 additions and 7 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -24,7 +24,7 @@ Instead, please report via one of these methods:
   - Fill in the details
 2. **Email**
-   - Send details to: aravind@crawl4ai.com and nasrin@crawl4ai.com
+   - Send details to: unclecode@crawl4ai.com (CC: nasrin@crawl4ai.com and aravind@crawl4ai.com)
   - Use subject: `[SECURITY] Brief description`
   - Include:
     - Description of the vulnerability
@@ -98,10 +98,21 @@ When using Crawl4AI as a Python library:
 | CVE-pending-1 | CRITICAL | RCE via hooks `__import__` | Removed from allowed builtins |
 | CVE-pending-2 | HIGH | LFI via `file://` URLs | URL scheme validation added |
 ### Fixed in v0.8.1
 | ID | Severity | Description | Fix |
 |----|----------|-------------|-----|
 | CVE-pending-3 | CRITICAL | RCE via deserialization + `eval()` in `/crawl` endpoint | Allowlisted deserializable types; AST-validated computed field expressions |
 See [Security Advisory](https://github.com/unclecode/crawl4ai/security/advisories) for details.
 ## Security Features
 ### v0.8.1+
 - **Deserialization Allowlist**: Only known-safe types can be instantiated via API config
 - **Safe Expression Evaluation**: Computed fields use AST validation (no `__import__`, no dunder access)
 ### v0.8.0+
 - **URL Scheme Validation**: Blocks `file://`, `javascript:`, `data:` URLs on API
@@ -115,7 +126,8 @@ See [Security Advisory](https://github.com/unclecode/crawl4ai/security/advisorie
 We thank the following security researchers for responsibly disclosing vulnerabilities:
- **[Neo by ProjectDiscovery](https://projectdiscovery.io/blog/introducing-neo)** - RCE and LFI vulnerabilities (December 2025)
+- **Alec M** — RCE via deserialization in `/crawl` endpoint (January 2026)
 - **[Neo by ProjectDiscovery](https://projectdiscovery.io/blog/introducing-neo)** — RCE and LFI vulnerabilities (December 2025)
 ---
--- a/crawl4ai/async_configs.py
+++ b/crawl4ai/async_configs.py
@@ -41,6 +41,41 @@ class MatchMode(Enum):
 # from .proxy_strategy import ProxyConfig
 # Allowlist of types that can be deserialized via from_serializable_dict().
 # This prevents arbitrary class instantiation from untrusted input (e.g. API requests).
 ALLOWED_DESERIALIZE_TYPES = {
    # Config classes
    "BrowserConfig", "CrawlerRunConfig", "HTTPCrawlerConfig",
    "LLMConfig", "ProxyConfig", "GeolocationConfig",
    "SeedingConfig", "VirtualScrollConfig", "LinkPreviewConfig",
    # Extraction strategies
    "JsonCssExtractionStrategy", "JsonXPathExtractionStrategy",
    "JsonLxmlExtractionStrategy", "LLMExtractionStrategy",
    "CosineStrategy", "RegexExtractionStrategy",
    # Markdown / content
    "DefaultMarkdownGenerator",
    "PruningContentFilter", "BM25ContentFilter", "LLMContentFilter",
    # Scraping
    "LXMLWebScrapingStrategy",
    # Chunking
    "RegexChunking",
    # Deep crawl
    "BFSDeepCrawlStrategy", "DFSDeepCrawlStrategy", "BestFirstCrawlingStrategy",
    # Filters & scorers
    "FilterChain", "URLPatternFilter", "DomainFilter",
    "ContentTypeFilter", "URLFilter", "SEOFilter", "ContentRelevanceFilter",
    "KeywordRelevanceScorer", "URLScorer", "CompositeScorer",
    "DomainAuthorityScorer", "FreshnessScorer", "PathDepthScorer",
    # Enums
    "CacheMode", "MatchMode", "DisplayMode",
    # Dispatchers
    "MemoryAdaptiveDispatcher", "SemaphoreDispatcher",
    # Table extraction
    "DefaultTableExtraction", "NoTableExtraction",
    # Proxy
    "RoundRobinProxyStrategy",
 }
 def to_serializable_dict(obj: Any, ignore_default_value : bool = False):
    """
@@ -134,15 +169,21 @@ def from_serializable_dict(data: Any) -> Any:
        if data["type"] == "dict" and "value" in data:
            return {k: from_serializable_dict(v) for k, v in data["value"].items()}
        # Security: only allow known-safe types to be deserialized
        type_name = data["type"]
        if type_name not in ALLOWED_DESERIALIZE_TYPES:
            raise ValueError(
                f"Deserialization of type '{type_name}' is not allowed. "
                f"Only allowlisted configuration and strategy types can be deserialized."
            )
        cls = None
        # If you are receiving an error while trying to convert a dict to an object:
        # Either add a module to `modules_paths` list, or add the `data["type"]` to the crawl4ai __init__.py file
        module_paths = ["crawl4ai"]
        for module_path in module_paths:
            try:
                mod = importlib.import_module(module_path)
-                if hasattr(mod, data["type"]):
+                if hasattr(mod, type_name):
-                    cls = getattr(mod, data["type"])
+                    cls = getattr(mod, type_name)
                    break
            except (ImportError, AttributeError):
                continue
--- a/crawl4ai/extraction_strategy.py
+++ b/crawl4ai/extraction_strategy.py
@@ -1,4 +1,5 @@
 from abc import ABC, abstractmethod
 import ast
 import inspect
 from typing import Any, List, Dict, Optional, Tuple, Pattern, Union
 from concurrent.futures import ThreadPoolExecutor, as_completed
@@ -1001,6 +1002,69 @@ class LLMExtractionStrategy(ExtractionStrategy):
 #######################################################
 # New extraction strategies for JSON-based extraction #
 #######################################################
 # Safe builtins allowed in computed field expressions
 _SAFE_EVAL_BUILTINS = {
    "str": str, "int": int, "float": float, "bool": bool,
    "len": len, "round": round, "abs": abs, "min": min, "max": max,
    "sum": sum, "sorted": sorted, "reversed": reversed,
    "list": list, "dict": dict, "tuple": tuple, "set": set,
    "enumerate": enumerate, "zip": zip, "map": map, "filter": filter,
    "any": any, "all": all, "range": range,
    "True": True, "False": False, "None": None,
    "isinstance": isinstance, "type": type,
 }
 def _safe_eval_expression(expression: str, local_vars: dict) -> Any:
    """
    Evaluate a computed field expression safely using AST validation.
    Allows simple transforms (math, string methods, attribute access on data)
    while blocking dangerous operations (__import__, dunder access, etc.).
    Args:
        expression: The Python expression string to evaluate.
        local_vars: The local variables (extracted item fields) available to the expression.
    Returns:
        The result of evaluating the expression.
    Raises:
        ValueError: If the expression contains disallowed constructs.
    """
    try:
        tree = ast.parse(expression, mode="eval")
    except SyntaxError as e:
        raise ValueError(f"Invalid expression syntax: {e}")
    for node in ast.walk(tree):
        # Block import statements
        if isinstance(node, (ast.Import, ast.ImportFrom)):
            raise ValueError("Import statements are not allowed in expressions")
        # Block attribute access to dunder attributes (e.g., __class__, __globals__)
        if isinstance(node, ast.Attribute) and node.attr.startswith("_"):
            raise ValueError(
                f"Access to private/dunder attribute '{node.attr}' is not allowed"
            )
        # Block calls to __import__ or any name starting with _
        if isinstance(node, ast.Call):
            func = node.func
            if isinstance(func, ast.Name) and func.id.startswith("_"):
                raise ValueError(
                    f"Calling '{func.id}' is not allowed in expressions"
                )
            if isinstance(func, ast.Attribute) and func.attr.startswith("_"):
                raise ValueError(
                    f"Calling '{func.attr}' is not allowed in expressions"
                )
    safe_globals = {"__builtins__": _SAFE_EVAL_BUILTINS}
    return eval(compile(tree, "<expression>", "eval"), safe_globals, local_vars)
 class JsonElementExtractionStrategy(ExtractionStrategy):
    """
    Abstract base class for extracting structured JSON from HTML content.
@@ -1236,7 +1300,7 @@ class JsonElementExtractionStrategy(ExtractionStrategy):
    def _compute_field(self, item, field):
        try:
            if "expression" in field:
-                return eval(field["expression"], {}, item)
+                return _safe_eval_expression(field["expression"], item)
            elif "function" in field:
                return field["function"](item)
        except Exception as e:
--- a/deploy/docker/tests/test_security_fixes.py
+++ b/deploy/docker/tests/test_security_fixes.py
@@ -160,6 +160,170 @@ class TestHooksEnabled(unittest.TestCase):
                os.environ.pop("CRAWL4AI_HOOKS_ENABLED", None)
 class TestComputedFieldSafety(unittest.TestCase):
    """Test that computed field expressions block dangerous operations.
    Mirrors the AST-based _safe_eval_expression() logic from extraction_strategy.py
    to test without importing heavy crawl4ai dependencies.
    """
    def setUp(self):
        """Set up the safe eval function (local copy of the logic)."""
        import ast
        SAFE_BUILTINS = {
            "str": str, "int": int, "float": float, "bool": bool,
            "len": len, "round": round, "abs": abs, "min": min, "max": max,
            "sum": sum, "sorted": sorted, "reversed": reversed,
            "list": list, "dict": dict, "tuple": tuple, "set": set,
            "enumerate": enumerate, "zip": zip, "map": map, "filter": filter,
            "any": any, "all": all, "range": range,
            "True": True, "False": False, "None": None,
            "isinstance": isinstance, "type": type,
        }
        def safe_eval(expression, local_vars):
            tree = ast.parse(expression, mode="eval")
            for node in ast.walk(tree):
                if isinstance(node, (ast.Import, ast.ImportFrom)):
                    raise ValueError("Import statements are not allowed")
                if isinstance(node, ast.Attribute) and node.attr.startswith("_"):
                    raise ValueError(f"Access to '{node.attr}' is not allowed")
                if isinstance(node, ast.Call):
                    func = node.func
                    if isinstance(func, ast.Name) and func.id.startswith("_"):
                        raise ValueError(f"Calling '{func.id}' is not allowed")
                    if isinstance(func, ast.Attribute) and func.attr.startswith("_"):
                        raise ValueError(f"Calling '{func.attr}' is not allowed")
            safe_globals = {"__builtins__": SAFE_BUILTINS}
            return eval(compile(tree, "<expression>", "eval"), safe_globals, local_vars)
        self.safe_eval = safe_eval
    # === SECURITY TESTS: These expressions must be BLOCKED ===
    def test_import_blocked(self):
        """__import__('os') must be blocked."""
        with self.assertRaises(ValueError):
            self.safe_eval("__import__('os').system('id')", {})
    def test_dunder_attribute_blocked(self):
        """Access to __class__, __globals__, etc. must be blocked."""
        with self.assertRaises(ValueError):
            self.safe_eval("''.__class__.__bases__", {})
    def test_dunder_method_call_blocked(self):
        """Calls to dunder methods must be blocked."""
        with self.assertRaises(ValueError):
            self.safe_eval("x.__getattribute__('y')", {"x": {}})
    def test_os_popen_via_import_blocked(self):
        """The exact POC from the vulnerability report must be blocked."""
        with self.assertRaises(ValueError):
            self.safe_eval('__import__("os").popen("id").read()', {})
    # === FUNCTIONALITY TESTS: These expressions must WORK ===
    def test_simple_math(self):
        """Basic arithmetic on item values must work."""
        result = self.safe_eval("price * 1.1", {"price": 100})
        self.assertAlmostEqual(result, 110.0)
    def test_string_method(self):
        """String methods on item values must work."""
        result = self.safe_eval("name.upper()", {"name": "hello"})
        self.assertEqual(result, "HELLO")
    def test_string_concatenation(self):
        """String concatenation must work."""
        result = self.safe_eval("first + ' ' + last", {"first": "John", "last": "Doe"})
        self.assertEqual(result, "John Doe")
    def test_dict_access(self):
        """Dict-style field access must work."""
        result = self.safe_eval("a + b", {"a": 10, "b": 20})
        self.assertEqual(result, 30)
    def test_builtin_functions(self):
        """Safe builtins like len, str, int must work."""
        result = self.safe_eval("len(name)", {"name": "hello"})
        self.assertEqual(result, 5)
    def test_round_function(self):
        """round() must work for numeric formatting."""
        result = self.safe_eval("round(price, 2)", {"price": 10.456})
        self.assertEqual(result, 10.46)
 class TestDeserializationAllowlist(unittest.TestCase):
    """Test that the deserialization allowlist blocks non-allowlisted types.
    Tests the allowlist constant directly without importing heavy dependencies.
    """
    def setUp(self):
        """Set up the allowlist (local copy of the constant)."""
        self.allowed_types = {
            "BrowserConfig", "CrawlerRunConfig", "HTTPCrawlerConfig",
            "LLMConfig", "ProxyConfig", "GeolocationConfig",
            "SeedingConfig", "VirtualScrollConfig", "LinkPreviewConfig",
            "JsonCssExtractionStrategy", "JsonXPathExtractionStrategy",
            "JsonLxmlExtractionStrategy", "LLMExtractionStrategy",
            "CosineStrategy", "RegexExtractionStrategy",
            "DefaultMarkdownGenerator",
            "PruningContentFilter", "BM25ContentFilter", "LLMContentFilter",
            "LXMLWebScrapingStrategy",
            "RegexChunking",
            "BFSDeepCrawlStrategy", "DFSDeepCrawlStrategy", "BestFirstCrawlingStrategy",
            "FilterChain", "URLPatternFilter", "DomainFilter",
            "ContentTypeFilter", "URLFilter", "SEOFilter", "ContentRelevanceFilter",
            "KeywordRelevanceScorer", "URLScorer", "CompositeScorer",
            "DomainAuthorityScorer", "FreshnessScorer", "PathDepthScorer",
            "CacheMode", "MatchMode", "DisplayMode",
            "MemoryAdaptiveDispatcher", "SemaphoreDispatcher",
            "DefaultTableExtraction", "NoTableExtraction",
            "RoundRobinProxyStrategy",
        }
    # === SECURITY TESTS: Non-allowlisted types must be BLOCKED ===
    def test_arbitrary_class_not_in_allowlist(self):
        """AsyncWebCrawler must NOT be in the allowlist."""
        self.assertNotIn("AsyncWebCrawler", self.allowed_types)
    def test_crawler_hub_not_in_allowlist(self):
        """CrawlerHub must NOT be in the allowlist."""
        self.assertNotIn("CrawlerHub", self.allowed_types)
    def test_browser_profiler_not_in_allowlist(self):
        """BrowserProfiler must NOT be in the allowlist."""
        self.assertNotIn("BrowserProfiler", self.allowed_types)
    def test_docker_client_not_in_allowlist(self):
        """Crawl4aiDockerClient must NOT be in the allowlist."""
        self.assertNotIn("Crawl4aiDockerClient", self.allowed_types)
    # === FUNCTIONALITY TESTS: Allowlisted types must be present ===
    def test_allowlist_has_core_config_types(self):
        """Core config types must be in the allowlist."""
        required = {"BrowserConfig", "CrawlerRunConfig", "LLMConfig", "ProxyConfig"}
        self.assertTrue(required.issubset(self.allowed_types))
    def test_allowlist_has_extraction_strategies(self):
        """Extraction strategy types must be in the allowlist."""
        required = {
            "JsonCssExtractionStrategy", "LLMExtractionStrategy",
            "RegexExtractionStrategy",
        }
        self.assertTrue(required.issubset(self.allowed_types))
    def test_allowlist_has_enums(self):
        """Enum types must be in the allowlist."""
        required = {"CacheMode", "MatchMode", "DisplayMode"}
        self.assertTrue(required.issubset(self.allowed_types))
 if __name__ == '__main__':
    print("=" * 60)
    print("Crawl4AI Security Fixes - Unit Tests")