Files
chatgpt-on-wechat/config.py
shunfeng8421 778d78cebe security: replace eval() with ast.literal_eval + document pickle risk
- config.py:418 — Replace eval(value) with ast.literal_eval() for
  environment variable config overrides. ast.literal_eval only parses
  Python literals and cannot execute arbitrary code, preventing
  environment-variable-based code injection.

- config.py:310-328 — Add security notes on pickle.load/dump usage.
  Pickle is safe here (local appdata file, same-process write/read),
  but notes suggest JSON migration or HMAC signing for future hardening.

Fixes: potential RCE via controlled environment variables
2026-06-29 07:33:33 +08:00

36 KiB