Security fixes (#8081)

* use safeloader * use json responses wherever possible * remove CORS and add CSRF token * formatting fixes * add envjs back * fix baseurl test
2023-10-06 22:20:30 -05:00
parent 9a4f970337
commit 14d2b79c72
24 changed files with 1357 additions and 488 deletions
--- a/frigate/util/builtin.py
+++ b/frigate/util/builtin.py
@@ -87,7 +87,8 @@ def load_config_with_no_duplicates(raw_config) -> dict:
    """Get config ensuring duplicate keys are not allowed."""

    # https://stackoverflow.com/a/71751051
-    class PreserveDuplicatesLoader(yaml.loader.Loader):
+    # important to use SafeLoader here to avoid RCE
+    class PreserveDuplicatesLoader(yaml.loader.SafeLoader):
        pass

    def map_constructor(loader, node, deep=False):