gitlab.bandit.B307

385

Download Count*

License

Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. Consider using safer ast.literal_eval.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: bandit.B307
    patterns:
      - pattern: eval(...)
    message: >
      Detected the use of eval(). eval() can be dangerous if used to evaluate

      dynamic content. If this content can be input from outside the program, this

      may be a code injection vulnerability. Ensure evaluated content is not definable

      by external sources. Consider using safer ast.literal_eval.
    metadata:
      cwe: "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
        Code ('Eval Injection')"
      owasp: "A1: Injection"
      primary_identifier: bandit.B307
      secondary_identifiers:
        - name: Bandit Test ID B307
          type: bandit_test_id
          value: B307
      license: MIT
    severity: WARNING
    languages:
      - python

Short Link: https://sg.run/J3WP