python.django.security.injection.code.user-eval.user-eval

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
100,063
Download Count*
LGPL Commons Clause
License

Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: user-eval
    message: Found user data in a call to 'eval'. This is extremely dangerous
      because it can enable an attacker to execute arbitrary remote code on the
      system. Instead, refactor your code to not use 'eval' and instead use a
      safe library for the specific functionality you need.
    metadata:
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      owasp:
        - A03:2021 - Injection
      references:
        - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
        - https://owasp.org/www-community/attacks/Code_Injection
      category: security
      technology:
        - django
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: HIGH
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    patterns:
      - pattern-inside: |
          def $F(...):
            ...
      - pattern-either:
          - pattern: eval(..., request.$W.get(...), ...)
          - pattern: |
              $V = request.$W.get(...)
              ...
              eval(..., $V, ...)
          - pattern: eval(..., request.$W(...), ...)
          - pattern: |
              $V = request.$W(...)
              ...
              eval(..., $V, ...)
          - pattern: eval(..., request.$W[...], ...)
          - pattern: |
              $V = request.$W[...]
              ...
              eval(..., $V, ...)
    languages:
      - python
    severity: WARNING

Examples

user-eval.py

from textwrap import dedent

def unsafe(request):
    # ruleid: user-eval
    code = request.POST.get('code')
    print("something")
    eval(code)

def unsafe_inline(request):
    # ruleid: user-eval
    eval(request.GET.get('code'))

def unsafe_dict(request):
    # ruleid: user-eval
    eval(request.POST['code'])

def safe(request):
    # ok: user-eval
    code = """
    print('hello')
    """
    eval(dedent(code))