Disable base64 loading via API

closes severe RCE vulnerability reported privately.

freqtrade/rpc/api_server/api_backtest.py

@@ -5,6 +5,7 @@ from datetime import datetime
 from typing import Any, Dict, List
 
 from fastapi import APIRouter, BackgroundTasks, Depends
+from fastapi.exceptions import HTTPException
 
 from freqtrade.configuration.config_validation import validate_config_consistency
 from freqtrade.data.btanalysis import get_backtest_resultlist, load_and_merge_backtest_result
@@ -31,6 +32,9 @@ async def api_start_backtest(bt_settings: BacktestRequest, background_tasks: Bac
     if ApiServer._bgtask_running:
         raise RPCException('Bot Background task already running')
 
+    if ':' in bt_settings.strategy:
+        raise HTTPException(status_code=500, detail="base64 encoded strategies are not allowed.")
+
     btconfig = deepcopy(config)
     settings = dict(bt_settings)
     # Pydantic models will contain all keys, but non-provided ones are None

freqtrade/rpc/api_server/api_v1.py

@@ -265,6 +265,8 @@ def list_strategies(config=Depends(get_config)):
 
 @router.get('/strategy/{strategy}', response_model=StrategyResponse, tags=['strategy'])
 def get_strategy(strategy: str, config=Depends(get_config)):
+    if ":" in strategy:
+        raise HTTPException(status_code=500, detail="base64 encoded strategies are not allowed.")
 
     config_ = deepcopy(config)
     from freqtrade.resolvers.strategy_resolver import StrategyResolver