mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-04-10 13:02:37 +00:00
fefa6761f9
- Replace os.system() with subprocess.run() using list args in run_code_unsafe() to prevent command injection via malicious library names (CWE-78) - Add BLOCKED_ATTRS set to SandboxPython to block dangerous dunder attributes (__class__, __bases__, __subclasses__, __mro__, __globals__, __code__, __reduce__, __reduce_ex__, __builtins__) that enable sandbox escape (CWE-94) - Add getattr, setattr, delattr, type, breakpoint to UNSAFE_BUILTINS - Add _check_for_blocked_attrs() pre-execution scan for blocked attribute patterns - Add comprehensive tests for both vulnerabilities Co-Authored-By: João <joao@crewai.com>