← All posts
Julien Delange Saturday, October 15, 2022

Safe and Secure Python Code: don’t use eval()

Share

AUTHOR

Julien Delange, Founder and CEO

Julien is the CEO of Codiga. Before starting Codiga, Julien was a software engineer at Twitter and Amazon Web Services.

Julien has a PhD in computer science from Universite Pierre et Marie Curie in Paris, France.

See all articles

What is eval in Python?

The eval() function in Python lets you execute random Python code from a string. It can be really convenient when you need to execute arbitrary code coming from an input.

For example, let’s say you have a variable bla and want to do some operations on it. You can then invoke the following code (here, just print the variable).

bla = “hello”
eval(print(bla))

Why eval in Python is not safe nor secure?

eval() is not secure because you never know if the code you execute can be trusted. You can limit the scope of the variables being accessed with the second argument passed to eval() but there are many cases when the content of the command itself is secure or not.

Imagine that your user uses a malicious command to execute code to get the list of users on your system like the one below. The user can get information about your system, or even worse, delete information from your system (such as data, logs, etc).

cmd = "print(open(\"/etc/passwd\").readlines())"
eval(cmd)

And even if you attempt to mitigate the issue (for example, by removing the user of global variables), the user input cannot be trusted. See this blog post for a deeper understanding. Even the official Python documentation has notes about security issues with eval().

Use literal_eval() for secure and safe Python code

The safe and secure alternative is to use literal_eval() from the ast package. literal_eval() does not let you run code from another module, it only processes Python datatype (e.g. if you need to manipulate data, not call any other functions). You can read more about the restrictions of literal_eval() in its documentation. The main benefit from using literal_eval() is that any attempt from untrusted source to execute malicious code will fail and raise a ValueError exception. In other words, the calling literal_eval() with malicious code will fail and raise an exception developers needs to handle.

The downside of using literal_eval() is that you cannot execute other functions based on any input. In such cases, you need to implement the behavior yourself and never rely on calling the eval() function.

Automatically detect unsafe or insecure use of eval()

With the Codiga plugin, you can automatically detect safe or insecure Python code. It integrates in your IDE as well as your CI/CD pipelines, thanks to all our integrations. You can even try the rule to avoid unsafe uses of eval() below.

Test Rule to Avoid eval() and use literal_eval()

To use this rule consistently, all you need to do is to install the integration in your IDE (for VS Code or JetBrains) or code management system and add a codiga.yml file at the root of your profile with the following content:

rulesets:
  - python-security

It will then check all your Python code against 100+ rules that detect unsafe and insecure code and suggests fixes for each of them.

More resources

Schedule a demo

Code analyzed in seconds with Codiga Automated Code Reviews.

Write code faster with the Codiga Coding Assistant.

Let's talk!