Note that almost all of these are moot, because anyone with access to the Scrapyd API can use addversion.json and schedule.json to run arbitrary Python code, with the same privileges as the Scrapyd process. Nonetheless:
[x] 858c408 Sanitize project name in both API #421 and egg storage, to prevent FilesystemEggStorage from writing (1) or deleting (3) arbitrary paths
[x] 848fc18 HTML escape user-provided values on the Home (5) and Jobs (6) views, to prevent XSS (including project, spider, job ID).
[x] d346503 Escape user-provided glob (project parameter) in both listversions.json and/or egg storage, to prevent listing files at arbitrary paths (2).
[x] b80dfc8 Sanitize project names, spider names and job IDs, to prevent writing logs and items to arbitrary directories (7).
(4) ("Executing python code when counting spiders") is not a vulnerability, because anyone with access to addversion.json also has access to schedule.json, and can therefore run the same, arbitrary Python code.
Among the other suggestions:
Scrapyd binds to localhost by default since 1.2.0.
It doesn't enable basic authentication by default, but the option is provided since 1.3.0.
http://www.spect.cl/blog/2015/11/security-audit-scrapyd/ Parenthesized numbers are from blog post.
Note that almost all of these are moot, because anyone with access to the Scrapyd API can use addversion.json and schedule.json to run arbitrary Python code, with the same privileges as the Scrapyd process. Nonetheless:
FilesystemEggStoragefrom writing (1) or deleting (3) arbitrary pathsprojectparameter) in both listversions.json and/or egg storage, to prevent listing files at arbitrary paths (2).(4) ("Executing python code when counting spiders") is not a vulnerability, because anyone with access to
addversion.jsonalso has access toschedule.json, and can therefore run the same, arbitrary Python code.Among the other suggestions: