From 42cecb83f2cf1f94e2cdb1071ddb407137f00b9f Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 27 Sep 2022 20:37:16 +0200 Subject: [PATCH] Disable base64 loading via API closes severe RCE vulnerability reported privately. --- freqtrade/rpc/api_server/api_backtest.py | 4 ++++ freqtrade/rpc/api_server/api_v1.py | 2 ++ 2 files changed, 6 insertions(+) diff --git a/freqtrade/rpc/api_server/api_backtest.py b/freqtrade/rpc/api_server/api_backtest.py index 06f04729b..c21828fd4 100644 --- a/freqtrade/rpc/api_server/api_backtest.py +++ b/freqtrade/rpc/api_server/api_backtest.py @@ -5,6 +5,7 @@ from datetime import datetime from typing import Any, Dict, List from fastapi import APIRouter, BackgroundTasks, Depends +from fastapi.exceptions import HTTPException from freqtrade.configuration.config_validation import validate_config_consistency from freqtrade.data.btanalysis import get_backtest_resultlist, load_and_merge_backtest_result @@ -31,6 +32,9 @@ async def api_start_backtest(bt_settings: BacktestRequest, background_tasks: Bac if ApiServer._bgtask_running: raise RPCException('Bot Background task already running') + if ':' in bt_settings.strategy: + raise HTTPException(status_code=500, detail="base64 encoded strategies are not allowed.") + btconfig = deepcopy(config) settings = dict(bt_settings) # Pydantic models will contain all keys, but non-provided ones are None diff --git a/freqtrade/rpc/api_server/api_v1.py b/freqtrade/rpc/api_server/api_v1.py index 53f5c16d7..135892dc6 100644 --- a/freqtrade/rpc/api_server/api_v1.py +++ b/freqtrade/rpc/api_server/api_v1.py @@ -265,6 +265,8 @@ def list_strategies(config=Depends(get_config)): @router.get('/strategy/{strategy}', response_model=StrategyResponse, tags=['strategy']) def get_strategy(strategy: str, config=Depends(get_config)): + if ":" in strategy: + raise HTTPException(status_code=500, detail="base64 encoded strategies are not allowed.") config_ = deepcopy(config) from freqtrade.resolvers.strategy_resolver import StrategyResolver