[Security Alert]: RCE (Remote Code Execution) via unsafe eval call in get_list function

[MrBruz]

Checklist

• [x] The issue has not been resolved by following the troubleshooting guide
• [x] The issue exists on a clean installation of Fooocus
• [x] The issue exists in the current version of Fooocus
• [x] The issue has not been reported before recently
• [ ] The issue has been reported before but has not been fixed yet

What happened?

For some reason, Fooocus's metadata parser includes a eval, which can be abused to run arbitrary python and achieve remote code execution. There are multiple instances of eval which must be fixed, even though only one was used for the shown proof of concept.

Steps to reproduce the problem

1. Enable Advanced > Developer Debug Mode > Debug Tools > Save Metadata to Images
2. Generate and save an image using this setting
3. Edit the styles subsection in the EXIF metadata to say something like "styles": "__import__('os').system('echo pwned > /flag') or ['Fooocus V2', 'Fooocus Enhance', 'Fooocus Sharp']"
4. Import the image using Input Image > Metadata > Upload Image, then click Apply Metadata

https://github.com/user-attachments/assets/4ccae01d-4bb7-4829-8d61-92d86c57e628

What should have happened?

No RCE

What browsers do you use to access Fooocus?

Mozilla Firefox

Where are you running Fooocus?

Locally with virtualization (e.g. Docker)

What operating system are you using?

Linux

Console logs

N/A

Additional information

This was originally submitted to the original Fooocus repo, however it is being submitted here too in hopes that the active forks will patch this ASAP too.