Open DanielRuf opened 3 weeks ago
For more context, Liran Tal from Snyk posted the following on LinkedIn: https://snyk.io/de/blog/code-injection-vulnerabilities-caused-by-generative-ai/
So I opened this PR to discuss and improve the documentation concerning this matter.
Should there also be some warning for exec
?
FYI, There's already an entry in faq/programming.
@Eclips4 thanks for the hint, but in my opinion this is not sufficient. Take a look at these:
https://www.php.net/manual/en/function.eval.php https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
I doubt that anyone reading a documentation entry knows, that there is a separate page with an important information. The warning should be directly in the documentation.
Agree that exec()
and eval()
should carry big red warnings in the docs; it's a bit surprising that they don't, when the considerably safer ast.literal_eval
does (https://docs.python.org/3.13/library/ast.html#ast.literal_eval).
Please add a warning to both eval()
and exec()
. Also, please open an issue to link this PR to: usually that's not necessary for docs fixes, but I think this is important enough that it's good to add a bit more visibility.
I've added now the warning for exec
too. Creating the issue now.
LG for me. However there is one thing that I want to discuss: Do we need to add a similar note for the compile
function?
📚 Documentation preview 📚: https://cpython-previews--118437.org.readthedocs.build/