search

keleshev / schema

Schema validation just got Pythonic
MIT License
2.86k stars 214 forks source link

Needless call to eval in setup.py #318

Closed moltenform closed 2 months ago

moltenform commented 3 months ago

I prefer to get rid of calls to eval for security reasons,

Especially in a setup.py file where one wouldn't expect code to run just by importing the file.

If someone malicious were to make a file in the right place they could get an arbitrary line of code to run.

Let's see if we can change the line 

 if line.startswith("__version__ ="):
            version = eval(line.split("=", 1)[1])
            break

to

 if line.startswith("__version__ ="):
            version = line.split("=", 1)
            version = version.replace('"', '').replace("'", '')
            version = version.strip()
            break
skorokithakis commented 2 months ago

No reason why we can't, would you like to submit a PR?

moltenform commented 2 months ago

Thanks!

skorokithakis commented 2 months ago

Thank you!