security fix: Improve expression evaluation#827
Open
phbrgnomo wants to merge 5 commits intopolakowo:masterfrom
Open
security fix: Improve expression evaluation#827phbrgnomo wants to merge 5 commits intopolakowo:masterfrom
phbrgnomo wants to merge 5 commits intopolakowo:masterfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Draft PR: phbrgnomo#10
Vulnerability Fixes:
Remote code execution (RCE) from untrusted input evaluated by eval
Risk: RCE lets attackers execute arbitrary code, access sensitive data, pivot the environment, or fully compromise the process when untrusted input reaches eval.
Cause: eval executes strings as code. Passing data derived from external sources without strict validation or a strict allowlist enables arbitrary code injection.
Fix
Remove eval usage. If parsing literals, use ast.literal_eval(). For calculations or logic, implement explicit handlers or a whitelisted function map. Validate inputs strictly. If isolation is unavoidable, use a sandbox like RestrictedPython with minimal, immutable globals.
Note
Dynamic expression execution will be removed or restricted; inputs that previously executed arbitrary expressions may be rejected or behave differently.
Remote code execution (RCE) from external input evaluated by exec
Risk: Attackers could execute arbitrary code on the server, exfiltrate data, modify state, or fully compromise the host process.
Cause: User-controlled strings are passed to exec without strict validation or isolation, enabling injected code to run with application privileges.
Fix
Remove exec usage. Replace dynamic code execution with explicit functions or a dispatch map. For data-only evaluation, use ast.literal_eval. If expression evaluation is required, implement a strict whitelist parser and never pass user input to exec.
Note
If the application relied on executing arbitrary expressions, those scripts will no longer run; only explicitly allowed operations will execute.
Summary by Sourcery
Harden expression evaluation and remove unsafe dynamic code execution from the codebase.
Bug Fixes:
Enhancements: