Show HN: pyDash – Small web-based dashboard for Linux in Python and Django

[anglebracket]

Hmm, all these eval() calls using data from cookies[0]... is this vulnerable to remote code execution? I think those eval() calls should be json.loads().

[0] https://github.com/k3oni/pydash/blob/1317771275aa118a40df1ec...

[k3oni]

Those evals() are valid only if user is authenticated, if there is no authentication then no eval() will be performed on the cookies.

[anglebracket]

True, but just because you trust someone to access the dashboard doesn't mean you trust them to execute code on your server. There are other things to consider as well, like MITM attacks, and that an XSS hole would let the attacker set their own cookies.

The data in the cookies is just JSON, right? If json.loads() would work here you should switch to that instead.

[k3oni]

Good point there, i'll look into limiting the eval().

I would hope that people won't give access to everyone to the dashboard, wasn't really build for that, or at least that wasn't my initial idea.

[hegga]

doesn't this get even worse since the python server is run by root?