Replace dynamic code compilation (exec) in lava_server/lavatable.py
exec is extremely dangerous and can lead to remote code execution.
It is also very slow.
I could not create a remote code execution with the exec code.
It does use html sanitiser to remove quotes from input but none of the other control symbols.
I tried using the literal code inputs like
\x22 which is a double quote in hexadecimal.
By lucky turn of events
str.format will auto escape back slashes (i,e,
\x22 -> \\x22)
However, it still feels like one step away from remote code execution.
The new patch uses dictionaries and unpacking to programatically create arguments. It is not vulnerable to any character insertions.
I manually tested that the queries are properly added.