max / audiofiles

Disable eval() and module imports in Rhai plugin engine Prevents untrusted plugin scripts from executing dynamic code or loading external modules. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Max J. <87768334+MaxJMath@users.noreply.github.com> · 2026-04-13 21:58 UTC

Commit: 4aa1482da1414bd103fec04c00270344e978c43b

Parent: 870cca5

1 file changed, +4 insertions, -0 deletions

M crates/audiofiles-rhai/src/engine.rs +4

			@@ -20,6 +20,10 @@ pub fn create_engine() -> Engine {
20	20		engine.on_print(\|_\| {});
21	21		engine.on_debug(\|_, _, _\| {});
22	22
	23	+	// Disable dynamic eval and module imports (principle of least privilege)
	24	+	engine.disable_symbol("eval");
	25	+	engine.set_max_modules(0);
	26	+
23	27		// Register custom types
24	28		engine
25	29		.register_type_with_name::<RhaiSampleInfo>("SampleInfo")