Open fe1w0 opened 8 months ago
Hello, developers, should I apply for CVE for this security issue
Hi @fe1w0 , thanks a lot for reporting this issue.
The compilation server is meant to be used as a developer productivity tool for oneself; it's not meant to be deployed as a service endpoints for others to use (at least not as of our foreseeable roadmap).
With that being said, if you would like to contribute a PR that replaces the usage of pickle
with something more secure, we'd love to welcome your contribution.
Describe the bug In apps/compile server/resources/compilation. Py 126 lines, after get complie server validation, the risk of python deserialization attack can achieve command execution, etc.
Additional context