# Vulnerability Summary ## Overview The `add_or_update_script` API in the Wooyee project suffers from an authorization flaw. The endpoint only verifies that the user is logged in (`@requires_login`) but fails to check for administrative privileges (staff privileges). This allows any registered user to upload arbitrary Python scripts, which are subsequently executed by Celery worker processes, resulting in a Remote Code Execution (RCE) vulnerability. ## Impact Scope - **Affected Component**: The `add_or_update_script` function in `wooyee/api/scripts.py`. - **Attack Consequence**: Remote Code Execution (RCE). ## Remediation An `is_staff` permission check has been added at the function entry point. Non-staff users now receive a 403 Forbidden response. Additionally, the HTTP response format has been standardized to JSON to ensure consistent API error handling. ## Patched Code ```python if not request.user.is_staff: return JsonResponse( { "valid": False, "errors": { "__all__": [ force_str( _("You do not have permission to upload scripts.") ) ] }, }, status=403, ) ```