Skip to content

security: disable code execution by default in shipped config#688

Open
wtfashwin wants to merge 1 commit into
ParisNeo:mainfrom
wtfashwin:security/disable-code-execution-default
Open

security: disable code execution by default in shipped config#688
wtfashwin wants to merge 1 commit into
ParisNeo:mainfrom
wtfashwin:security/disable-code-execution-default

Conversation

@wtfashwin

@wtfashwin wtfashwin commented May 17, 2026

Copy link
Copy Markdown

Summary

  • configs/config.yaml ships with turn_on_code_execution: true, which means a fresh install allows remote Python execution out of the box.
  • This PR flips the default to false so code execution is opt-in. Users who want it can still enable it in their own config.

Follows the same secure-by-default direction as the recent /api/proxy hardening (#685).

Closes #675.

Test plan

  • Diff is a single-line config change plus a CHANGELOG note — no code paths affected.
  • Manual: start the webui with the shipped config and confirm the existing UI surface still loads (code execution features will require enabling the flag).

@wtfashwin
security: disable code execution by default in shipped config
953ac2e 
Flip turn_on_code_execution from true to false in configs/config.yaml so
fresh installs do not allow remote Python execution by default. Users who
want code execution can still opt in by editing their local config.

Closes ParisNeo#675
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Critical Security Flaw: Default Remote Code Execution (RCE) in Config

1 participant

@wtfashwin