no-eval

Try in Playground
python-securitySecurityCritical

0

No tags

CWE-94

eval() is insecure, and uncontrolled data could then create a vulnerability, as reported by the official Python documentation. Generated code should be controlled as mentioned by CWE-94

Learn More

  • CWE-94 - Improper Control of Generation of Code
  • Safe and Secure Python: do not use eval()

Ast Rule: function call


no-eval

How to write a rule
function visit(node) {
  if(node.functionName.value === "eval" && !node.moduleOrObject){
    const hasOneArgument = node.arguments && node.arguments.values && node.arguments.values.length === 1;

    const error = buildError(node.start.line, node.start.col, node.end.line, node.end.col, "do not use eval as this is unsafe", "CRITICAL", "SAFETY");

    const argumentValue = node.arguments.values[0].value.str;
    const newFunctionCall = `literal_eval(${argumentValue})`;
    const editReplaceFunctionCall = buildEditUpdate(node.start.line, node.start.col, node.end.line, node.end.col, newFunctionCall)

    const editAddImport = buildEditAdd(1, 1, "from ast import literal_eval\n");


    const fix = buildFix("replace with literal_eval", [editReplaceFunctionCall, editAddImport]);
    addError(error.addFix(fix));
  }
}

from-module.py

Expected test result: no error

import foo
foo.eval('[1, 2, 3]')

literal-eval.py

Expected test result: no error

from ast import literal_eval
print("bla")
literal_eval('[1, 2, 3]')

eval-use.py

Expected test result: has error

print("bla")
eval('[1, 2, 3]')
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Explore
  • Cookbooks
  • Playground
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.