unclecode 0104db6de2 Fix critical RCE via deserialization and eval() in /crawl endpoint ...

- Replace raw eval() in _compute_field() with AST-validated
  _safe_eval_expression() that blocks __import__, dunder attribute
  access, and import statements while preserving safe transforms
- Add ALLOWED_DESERIALIZE_TYPES allowlist to from_serializable_dict()
  preventing arbitrary class instantiation from API input
- Update security contact email and add v0.8.1 security fixes to
  SECURITY.md with researcher acknowledgment
- Add 17 security tests covering both fixes

2026-01-30 08:46:32 +00:00

14 KiB

Raw Permalink Blame History

View Raw