#700 SEC-04: exec() used for dynamic code with bypass paths

closed high Created 2025-12-25 02:56 · Updated 2025-12-25 03:34

Description

Edit
Location: python_task.py:266, code_loader.py:668, app_runner.py:125. Issue: System uses exec() for user code. Sandbox mode can be disabled via config. dev_mount_path allows host filesystem access. Exempt tenants bypass sandbox. Fix: Remove unsandboxed fallback in production, enforce sandbox at app level.

Comments

Loading comments...

Context

Loading context...

Audit History

View All
Loading audit history...
Quick Actions
Edit
Status
Priority
Danger Zone