Try in Playground


No tags


eval() is insecure, and uncontrolled data could then create a vulnerability, as reported by the official Python documentation. Generated code should be controlled as mentioned by CWE-94

Learn More

  • CWE-94 - Improper Control of Generation of Code
  • Safe and Secure Python: do not use eval()

Ast Rule: function call


How to write a rule
function visit(node) {
  if(node.functionName.value === "eval" && !node.moduleOrObject){
    const hasOneArgument = node.arguments && node.arguments.values && node.arguments.values.length === 1;

    const error = buildError(node.start.line, node.start.col, node.end.line, node.end.col, "do not use eval as this is unsafe", "CRITICAL", "SAFETY");

    const argumentValue = node.arguments.values[0].value.str;
    const newFunctionCall = `literal_eval(${argumentValue})`;
    const editReplaceFunctionCall = buildEditUpdate(node.start.line, node.start.col, node.end.line, node.end.col, newFunctionCall)

    const editAddImport = buildEditAdd(1, 1, "from ast import literal_eval\n");

    const fix = buildFix("replace with literal_eval", [editReplaceFunctionCall, editAddImport]);

Expected test result: no error

import foo
foo.eval('[1, 2, 3]')

Expected test result: no error

from ast import literal_eval
literal_eval('[1, 2, 3]')

Expected test result: has error

eval('[1, 2, 3]')
Add comment

Log in to add a comment

    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Explore
  • Cookbooks
  • Playground
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.