Skip to content

security: replace eval() with getattr() to prevent code injection#610

Open
difcn2026 wants to merge 1 commit into
psf:masterfrom
difcn2026:security/fix-eval-injection
Open

security: replace eval() with getattr() to prevent code injection#610
difcn2026 wants to merge 1 commit into
psf:masterfrom
difcn2026:security/fix-eval-injection

Conversation

@difcn2026

Copy link
Copy Markdown

Security Fix: Replace eval() with getattr() to prevent code injection

Vulnerability

requests_html.py:570 uses eval("cookiejar."+key) to dynamically access cookie attributes. If key is ever influenced by external input, this could allow arbitrary code execution.

Fix

Replaced eval("cookiejar."+key) with getattr(cookiejar, key, None) — functionally equivalent but safe from code injection.

# Before
v = eval ("cookiejar."+key)

# After
v = getattr(cookiejar, key, None)

How I Found This

Scanned with AgentGuard (rule PY001 — eval usage), then verified manually.

AgentGuard is an open-source security scanner powered by GLM-5.2 that finds and fixes vulnerabilities automatically.

Checklist

  • Change is functionally equivalent (getattr with default None)
  • No new dependencies
  • Tested: getattr(cookiejar, key, None) returns same value as eval("cookiejar."+key) for valid keys

Found by AgentGuard scan (rule PY001). The eval() call with dynamic
attribute access could be exploited if the key value is influenced by
external input. Replaced with getattr() which is safe and equivalent.

Scanned and auto-fixed by AgentGuard + GLM-5.2
https://github.com/difcn2026/agentguardp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant