refactor: extract check for base64 strategies

2026-03-01 15:52:43 +00:00 · 2026-02-24 21:11:52 +01:00
parent f6dbca35f3
commit 3a6311b7fc
3 changed files with 19 additions and 6 deletions
--- a/freqtrade/rpc/api_server/api_backtest.py
+++ b/freqtrade/rpc/api_server/api_backtest.py
@@ -30,7 +30,7 @@ from freqtrade.rpc.api_server.api_schemas import (
    BacktestRequest,
    BacktestResponse,
 )
-from freqtrade.rpc.api_server.deps import get_config
+from freqtrade.rpc.api_server.deps import get_config, verify_strategy
 from freqtrade.rpc.api_server.webserver_bgwork import ApiBG
 from freqtrade.rpc.rpc import RPCException

@@ -134,8 +134,7 @@ async def api_start_backtest(
    if ApiBG.bgtask_running:
        raise RPCException("Bot Background task already running")

-    if ":" in bt_settings.strategy:
-        raise HTTPException(status_code=500, detail="base64 encoded strategies are not allowed.")
+    verify_strategy(bt_settings.strategy)

    btconfig = deepcopy(config)
    remove_exchange_credentials(btconfig["exchange"], True)
--- a/freqtrade/rpc/api_server/api_v1.py
+++ b/freqtrade/rpc/api_server/api_v1.py
@@ -22,7 +22,13 @@ from freqtrade.rpc.api_server.api_schemas import (
    SysInfo,
    Version,
 )
-from freqtrade.rpc.api_server.deps import get_config, get_exchange, get_rpc, get_rpc_optional
+from freqtrade.rpc.api_server.deps import (
+    get_config,
+    get_exchange,
+    get_rpc,
+    get_rpc_optional,
+    verify_strategy,
+)
 from freqtrade.rpc.rpc import RPCException


@@ -146,8 +152,7 @@ def markets(
 def get_strategy(
    strategy: str, config=Depends(get_config), rpc: RPC | None = Depends(get_rpc_optional)
 ):
-    if ":" in strategy:
-        raise HTTPException(status_code=422, detail="base64 encoded strategies are not allowed.")
+    verify_strategy(strategy)

    if not rpc or config["runmode"] == RunMode.WEBSERVER:
        # webserver mode
--- a/freqtrade/rpc/api_server/deps.py
+++ b/freqtrade/rpc/api_server/deps.py
@@ -75,3 +75,12 @@ def is_trading_mode(config=Depends(get_config)):
    if config["runmode"] not in TRADE_MODES:
        raise HTTPException(status_code=503, detail="Bot is not in the correct state.")
    return None
+
+
+def verify_strategy(strategy: str | None):
+    """Verify that the strategy name is valid (not base64 encoded).
+    This is a security measure to prevent potential attacks using base64 encoded strategies.
+    This should be called for every endpoint that accepts a strategy name as a parameter.
+    """
+    if strategy is not None and ":" in strategy:
+        raise HTTPException(status_code=422, detail="base64 encoded strategies are not allowed.")