# SPCVE-0001
**API versions affected**: [[changelog#Input sanitization added swagger https git selfprivacy org SelfPrivacy selfprivacy-rest-api pulls 5|All pre-1.1.0 releases]]

**SelfPrivacy app versions affected:** ≤0.2.4; fixed in 0.3.0

**Discovered on**: 16 Nov 2021

**Addressed on**: 17 Nov 2021
## Description
Remote code execution vulnerability allowed root access to anyone, without any authorization. Was caused by the following factors:
- API had no authentication.
- No input sanitation used.
- Python's ``subprocess.Popen`` was called with `shell=True`.

At that time, there was no mechanism to upgrade API, so the server had to be recreated.

## Taken measures
- Basic API auth added.
- All `subprocess` calls now don't use `shell=true`.
- CI pipeline now includes [bandit](https://github.com/PyCQA/bandit) to prevent same mistakes in the future.
- More input sanitation added.
- Created a [nix overlay](https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nix-repo) to provide API upgrades automatically.