Unsanitized user input in 'eval' type function

Description

Executing code with 'eval' or similar functions using unsanitized user input is risky and can lead to code injection vulnerabilities. This happens when external input is used directly in functions that execute code, allowing attackers to run malicious code within your application.

Remediations

  • Do not use eval or similar code execution functions with unsanitized user input. This can create a significant security risk by allowing code injection.
  • Do not use ast.literal_eval() with unsanitized user input. While literal_eval is often considered to be less risky than eval because it evaluates strings as Python data structures only (integers, strings, dictionaries,etc), an attacker could exploit this function with deeply nested structures that could cause excessive memory allocation or stack consumption.
  • Do use dynamic hardcoded values instead of direct user input to mitigate the risk of code injection. This approach allows for controlled execution of code without exposing your application to injected malicious code. For example, use a dictionary to store functions, and call these based on user input.
    def total_with_vat(a, b):
      total = a + b
      return total + total * 0.15

    def total_without_vat(a, b):
      return a + b

    get_total = {
      "incl_vat": total_with_vat,
      "excl_vat": total_without_vat
    }

    if form.cleaned_data["include_vat"]:
      total_func = get_total["incl_vat"]
      total = total_func(a, b)

    # ...

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_eval_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_eval_using_user_input