gh-118633: Add warning regarding the unsafe usage of eval and exec #118437

DanielRuf · Apr 30, 2024

📚 Documentation preview 📚: https://cpython-previews--118437.org.readthedocs.build/

Issue: add warning for eval and exec (unsafe usage may lead to critical vulnerabilities) #118633

ghost · Apr 30, 2024

All commit authors signed the Contributor License Agreement.

DanielRuf · Apr 30, 2024

For more context, Liran Tal from Snyk posted the following on LinkedIn: https://snyk.io/de/blog/code-injection-vulnerabilities-caused-by-generative-ai/

So I opened this PR to discuss and improve the documentation concerning this matter.

DanielRuf · Apr 30, 2024

Should there also be some warning for exec?

Eclips4 · Apr 30, 2024

FYI, There's already an entry in faq/programming.

DanielRuf · Apr 30, 2024

@Eclips4 thanks for the hint, but in my opinion this is not sufficient. Take a look at these:

https://www.php.net/manual/en/function.eval.php
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

I doubt that anyone reading a documentation entry knows, that there is a separate page with an important information. The warning should be directly in the documentation.

JelleZijlstra · May 2, 2024

Agree that exec() and eval() should carry big red warnings in the docs; it's a bit surprising that they don't, when the considerably safer ast.literal_eval does (https://docs.python.org/3.13/library/ast.html#ast.literal_eval).

Please add a warning to both eval() and exec(). Also, please open an issue to link this PR to: usually that's not necessary for docs fixes, but I think this is important enough that it's good to add a bit more visibility.

DanielRuf · May 6, 2024

I've added now the warning for exec too. Creating the issue now.

Doc/library/functions.rst

Eclips4 · May 6, 2024

LG for me. However there is one thing that I want to discuss: Do we need to add a similar note for the compile function?

Doc/library/functions.rst

Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

Doc/library/functions.rst

willingc · Oct 30, 2024

Thanks everyone for the PR, reviews and suggestions. I'm planning to merge.

miss-islington-app · Oct 30, 2024

Thanks @DanielRuf for the PR, and @willingc for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12, 3.13.
🐍🍒⛏🤖

…xec (pythonGH-118437) * Add warning regarding the unsafe usage of eval * Add warning regarding the unsafe usage of exec * Move warning under parameters table * Use suggested shorter text Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> * Use suggested shorter text Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> * Improve wording as suggested --------- (cherry picked from commit 00e5ec0) Co-authored-by: Daniel Ruf <daniel@daniel-ruf.de> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

miss-islington-app · Oct 30, 2024

Sorry, @DanielRuf and @willingc, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 00e5ec0d35193c1665e5c0cfe5ef82eed270d0f4 3.12

bedevere-app · Oct 30, 2024

GH-126161 is a backport of this pull request to the 3.13 branch.

brianschubert · Oct 30, 2024

@willingc I can make the 3.12 backport if that would be helpful

willingc · Oct 30, 2024

Thanks @brianschubert. Ping me if you run into any issues.

…exec (GH-118437) (#126161) gh-118633: Add warning regarding the unsafe usage of eval and exec (GH-118437) * Add warning regarding the unsafe usage of eval * Add warning regarding the unsafe usage of exec * Move warning under parameters table * Use suggested shorter text * Use suggested shorter text * Improve wording as suggested --------- (cherry picked from commit 00e5ec0) Co-authored-by: Daniel Ruf <daniel@daniel-ruf.de> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

…l and exec (pythonGH-118437) * Add warning regarding the unsafe usage of eval * Add warning regarding the unsafe usage of exec * Move warning under parameters table * Use suggested shorter text Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> * Use suggested shorter text Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> * Improve wording as suggested --------- (cherry picked from commit 00e5ec0) Co-authored-by: Daniel Ruf <daniel@daniel-ruf.de> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

bedevere-app · Oct 30, 2024

GH-126162 is a backport of this pull request to the 3.12 branch.

…exec (GH-118437) (#126162) (cherry picked from commit 00e5ec0) Co-authored-by: Daniel Ruf <daniel@daniel-ruf.de> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

…xec (pythonGH-118437) * Add warning regarding the unsafe usage of eval * Add warning regarding the unsafe usage of exec * Move warning under parameters table * Use suggested shorter text Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> * Use suggested shorter text Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com> * Improve wording as suggested --------- Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

Add warning regarding the unsafe usage of eval

5854024

bedevere-app bot added docs Documentation in the Doc dir skip news awaiting review labels Apr 30, 2024

JelleZijlstra added the type-security A security issue label May 2, 2024

rhettinger approved these changes May 6, 2024

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting review labels May 6, 2024

Add warning regarding the unsafe usage of exec

05054ba

DanielRuf mentioned this pull request May 6, 2024

add warning for eval and exec (unsafe usage may lead to critical vulnerabilities) #118633

Closed

terryjreedy changed the title ~~Add warning regarding the unsafe usage of eval~~ gh-118633: Add warning regarding the unsafe usage of eval May 6, 2024

hugovk reviewed May 6, 2024

View reviewed changes

Doc/library/functions.rst Outdated Show resolved Hide resolved

DanielRuf changed the title ~~gh-118633: Add warning regarding the unsafe usage of eval~~ gh-118633: Add warning regarding the unsafe usage of eval and exec May 6, 2024

Move warning under parameters table

0f3cfcd

hugovk added the needs backport to 3.12 only security fixes label May 6, 2024

Merge branch 'main' into patch-1

1f32103

JelleZijlstra reviewed May 7, 2024

View reviewed changes

Doc/library/functions.rst Outdated Show resolved Hide resolved

Doc/library/functions.rst Outdated Show resolved Hide resolved

DanielRuf and others added 2 commits May 7, 2024 08:41

Use suggested shorter text

2d37c80

Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

Use suggested shorter text

3293768

Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

eli-schwartz reviewed May 7, 2024

View reviewed changes

Doc/library/functions.rst Outdated Show resolved Hide resolved

Improve wording as suggested

4c96fe2

serhiy-storchaka added the needs backport to 3.13 bugs and security fixes label May 9, 2024

nineteendo reviewed Jun 2, 2024

View reviewed changes

Doc/library/functions.rst Show resolved Hide resolved

willingc approved these changes Oct 30, 2024

View reviewed changes

willingc enabled auto-merge (squash) October 30, 2024 00:23

willingc approved these changes Oct 30, 2024

View reviewed changes

willingc disabled auto-merge October 30, 2024 00:27

willingc added DO-NOT-MERGE and removed DO-NOT-MERGE labels Oct 30, 2024

willingc enabled auto-merge (squash) October 30, 2024 00:33

willingc merged commit 00e5ec0 into python:main Oct 30, 2024
30 checks passed

bedevere-app bot removed the awaiting merge label Oct 30, 2024

miss-islington-app bot assigned willingc Oct 30, 2024

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Oct 30, 2024

bedevere-app bot removed the needs backport to 3.12 only security fixes label Oct 30, 2024

DanielRuf deleted the patch-1 branch November 3, 2024 15:51

Search code, repositories, users, issues, pull requests...

Uh oh!

gh-118633: Add warning regarding the unsafe usage of eval and exec #118437

gh-118633: Add warning regarding the unsafe usage of eval and exec #118437

Uh oh!

Conversation

DanielRuf commented Apr 30, 2024 • edited by bedevere-app bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ghost commented Apr 30, 2024 • edited by ghost Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

DanielRuf commented Apr 30, 2024

Uh oh!

DanielRuf commented Apr 30, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Eclips4 commented Apr 30, 2024

Uh oh!

DanielRuf commented Apr 30, 2024

Uh oh!

JelleZijlstra commented May 2, 2024

Uh oh!

DanielRuf commented May 6, 2024

Uh oh!

Uh oh!

Eclips4 commented May 6, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

willingc commented Oct 30, 2024

Uh oh!

Uh oh!

miss-islington-app bot commented Oct 30, 2024

Uh oh!

miss-islington-app bot commented Oct 30, 2024

Uh oh!

bedevere-app bot commented Oct 30, 2024

Uh oh!

brianschubert commented Oct 30, 2024

Uh oh!

willingc commented Oct 30, 2024

Uh oh!

bedevere-app bot commented Oct 30, 2024

Uh oh!

Uh oh!

DanielRuf commented Apr 30, 2024 •

edited by bedevere-app bot

Loading

ghost commented Apr 30, 2024 •

edited by ghost

Loading

DanielRuf commented Apr 30, 2024 •

edited

Loading

Eclips4 commented May 6, 2024 •

edited

Loading