You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is this behavior necessary? From a security point of view, this is very dangerous behavior, especially if the origin of the key or value can't be trusted. I would strongly suggest replacing this with a call to the built-in setattr function which you can use instead and achieves the same thing in a safe way.
The text was updated successfully, but these errors were encountered:
I agree with you. but the main function will be used by developers and or system administrators and only they can attack themselves. so, I think the settings a configuration key via the command line is a useful feature.
I'll try to rewrite this portion of code without the exec built-in function.
Hello,
When conducting a security audit of the source code that includes nanohttp I noticed that there is an
exec
done when loading the settings e.g. https://github.com/Carrene/nanohttp/blob/master/nanohttp/cli/entry.py#L73 :exec(f'settings.{key} = {value}')
Is this behavior necessary? From a security point of view, this is very dangerous behavior, especially if the origin of the
key
orvalue
can't be trusted. I would strongly suggest replacing this with a call to the built-insetattr
function which you can use instead and achieves the same thing in a safe way.The text was updated successfully, but these errors were encountered: