andre/crewAI
1
0
Fork 0
mirror of https://github.com/crewAIInc/crewAI.git synced 2026-04-12 22:12:37 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity
Files
3e2ff5a9b3987968af4d2c8111a03b2dcc961e69
crewAI/lib
History
Rip&Tear 3e2ff5a9b3 fix: replace os.system with subprocess.run in unsafe mode pip install 
Eliminates shell injection risk (A05) where a malicious library name like
"pkg; rm -rf /" could execute arbitrary host commands. Using list-form
subprocess.run with shell=False ensures the library name is always treated
as a single argument with no shell metacharacter expansion.

Adds two tests: one verifying list-form invocation, one verifying that
shell metacharacters in a library name cannot trigger shell execution.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 15:31:07 +08:00
..
crewai
Code interpreter sandbox escape (#4791)
2026-03-15 13:18:02 +08:00
crewai-files
feat: bump versions to 1.10.2rc2
2026-03-14 00:34:12 -04:00
crewai-tools
fix: replace os.system with subprocess.run in unsafe mode pip install
2026-03-15 15:31:07 +08:00
devtools
feat: bump versions to 1.10.2rc2
2026-03-14 00:34:12 -04:00