opencron

The code provides convenient natural-language task creation but contains a severe unsafe pattern: embedding raw user-provided descriptions into generated executable JavaScript files without escaping or validation. This enables an attacker who can supply the description to craft payloads that will be written to disk and, after the scheduler restart, executed by the host — effectively remote code execution. Filename sanitization reduces path-related risks but does not prevent in-file code injection. Recommended fixes: escape/serialize user content before embedding into code (or avoid generating executable JS from untrusted input), enforce strict authorization on who can create tasks, validate and whitelist acceptable description characters/length, write non-executable task payloads (e.g., data-only config) and have operator-controlled scripts, and add safe write/backup/atomic operations for CONFIG_FILE. No evidence of intentional exfiltration or backdoor was found in this fragment, but the present implementation is a high-impact security risk and should be remediated before use in environments with untrusted users.