mirror of
https://github.com/unclecode/crawl4ai.git
synced 2026-06-11 00:08:01 +00:00
2fc39cbe89
- Disable eval() in _compute_field expression path (RCE vector via untrusted input). Expression key now logs warning and returns default; function key still works. - Harden _safe_eval_config in server.py with name/attribute allowlists, block lambdas, generators, comprehensions in constructor args. - Remove getattr/setattr from hook_manager allowed builtins (sandbox escape vectors). - Add 67 adversarial security tests covering all eval/exec attack surfaces. Closes #1886, closes #1855