Fix critical security vulnerabilities and bugs#498
Open
YashejShah wants to merge 1 commit intoTeamUltroid:mainfrom
Open
Fix critical security vulnerabilities and bugs#498YashejShah wants to merge 1 commit intoTeamUltroid:mainfrom
YashejShah wants to merge 1 commit intoTeamUltroid:mainfrom
Conversation
Security fixes: - Fix SQL injection in SqlDB by validating column names as identifiers - Replace eval() with ast.literal_eval() in json_parser, _get_value, nightmode - Replace eval() with safe AST-based math evaluator in calculator plugin - Fix command injection via ADDONS_URL by using list-form subprocess calls - Replace all os.system() calls with subprocess.check_call() in _database.py - Remove all shell=True subprocess calls in loader.py Bug fixes: - Fix Terminal.terminate() pop-then-access bug that never killed processes - Fix _auto_remove_processes infinite loop and wrong key iteration - Fix __dict__ property override breaking Python introspection in BaseClient - Fix infinite retry loops in fast_uploader/fast_downloader (max 3 retries) - Fix mediainfo() missing else branch that always overwrote "video" result - Fix ThreadPoolExecutor leak by using a shared executor instance - Fix missing f-string prefix in ssgen.py session output - Pin dependency versions in requirements.txt Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SqlDB) — column names are now validated against a strict identifier regex before interpolationeval()RCE vectors — replaced unsafeeval()withast.literal_eval()injson_parser,_get_value, andnightmode; built a safe AST-based math evaluator for the calculator pluginADDONS_URL— allsubprocess.run(shell=True)calls converted to list-form (no shell)os.system()calls withsubprocess.check_call()in_database.pyfor safer package installationTerminal.terminate()bug — process was popped from dict before.kill()was called, so it never actually killed anything_auto_remove_processes— was a@propertywith an infinitewhileloop iterating PIDs as if they were process objects; replaced with a proper cleanup method__dict__property override inBaseClientthat broke Python introspection; renamed toas_dict()fast_uploader/fast_downloader— now limited to 3 retries with proper error reportingmediainfo()missingelse— "video as doc" always overwrote "video" regardless of streaming support checkThreadPoolExecutorleak —run_asyncwas creating a new executor per call; now uses a shared instancessgen.pythat printed literal{ultroid.session.save()}instead of the actual sessionrequirements.txtto prevent supply-chain issuesTest plan
.calccommand with basic math expressions.bashand.evalcommands (owner only)ADDONS_URLset🤖 Generated with Claude Code