From 2a31ae1f11a89f97865457190b32a895c516bd2a Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Wed, 29 Apr 2026 14:45:32 +0000
Subject: [PATCH] fix: V-010 security vulnerability

Automated security fix generated by Orbis Security AI
---
 deploy/docker/server.py | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/deploy/docker/server.py b/deploy/docker/server.py
index 7b3a8d964..d9b93c57e 100644
--- a/deploy/docker/server.py
+++ b/deploy/docker/server.py
@@ -295,11 +295,11 @@ def _safe_eval_config(expr: str) -> dict:
         if isinstance(node, ast.Call) and node is not call:
             raise ValueError("Nested function calls are not permitted")
 
-    # expose everything that crawl4ai exports, nothing else
-    safe_env = {name: getattr(_c4, name)
-                for name in dir(_c4) if not name.startswith("_")}
-    obj = eval(compile(tree, "<config>", "eval"),
-               {"__builtins__": {}}, safe_env)
+    # directly instantiate from ALLOWED_TYPES using ast.literal_eval for argument values
+    cls = ALLOWED_TYPES[call.func.id]
+    args = [ast.literal_eval(arg) for arg in call.args]
+    kwargs = {kw.arg: ast.literal_eval(kw.value) for kw in call.keywords}
+    obj = cls(*args, **kwargs)
     return obj.dump()
 
 
@@ -325,7 +325,7 @@ async def get_token(req: TokenRequest):
 
 
 @app.post("/config/dump")
-async def config_dump(raw: RawCode):
+async def config_dump(raw: RawCode, _td: Dict = Depends(token_dep)):
     try:
         return JSONResponse(_safe_eval_config(raw.code.strip()))
     except Exception as e: