python.lang.security.audit.eval-detected.eval-detected
Community Favorite
semgrep
Author
48,183
Download Count*
License
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Run Locally
Run in CI
Defintion
rules:
- id: eval-detected
patterns:
- pattern-not: eval(f"")
- pattern-not: eval("...")
- pattern: eval(...)
message: Detected the use of eval(). eval() can be dangerous if used to evaluate
dynamic content. If this content can be input from outside the program,
this may be a code injection vulnerability. Ensure evaluated content is
not definable by external sources.
metadata:
source-rule-url: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b307-eval
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
asvs:
section: "V5: Validation, Sanitization and Encoding Verification Requirements"
control_id: 5.2.4 Dyanmic Code Execution Features
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements
version: "4"
category: security
technology:
- python
references:
- https://owasp.org/Top10/A03_2021-Injection
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
languages:
- python
severity: WARNING
Examples
eval-detected.py
# ok:eval-detected
eval("x = 1; x = x + 2")
# ok:eval-detected
eval(f"x = 1; x = x + 2")
blah = "import requests; r = requests.get('https://example.com')"
# ok:eval-detected
eval(blah)
dynamic = "import requests; r = requests.get('{}')"
# ruleid:eval-detected
eval(dynamic.format("https://example.com"))
def eval_something(something):
# ruleid:eval-detected
eval(something)
from something import eval
# ok:eval-detected
eval("something")
# ok:eval-detected
eval("somethin(){}")
# ok:eval-detected
eval(f"something()")
# ok:eval-detected
eval("")
# ok:eval-detected
eval(f"")
user_input = get_userinput()
# ruleid:eval-detected
eval(f"some_func({user_input})")
def eval_something(something):
# ruleid:eval-detected
eval(f"some_func({{{something}}})")
Short Link: https://sg.run/ZvrD