cpython-cla-bot[bot]
commented
3 weeks ago All commit authors signed the Contributor License Agreement.
Open DanielRuf opened 3 weeks ago
cpython-cla-bot[bot]
commented
3 weeks ago All commit authors signed the Contributor License Agreement.
DanielRuf
commented
3 weeks ago For more context, Liran Tal from Snyk posted the following on LinkedIn: https://snyk.io/de/blog/code-injection-vulnerabilities-caused-by-generative-ai/
So I opened this PR to discuss and improve the documentation concerning this matter.
DanielRuf
commented
3 weeks ago Should there also be some warning for exec?
Eclips4
commented
3 weeks ago FYI, There's already an entry in faq/programming.
DanielRuf
commented
3 weeks ago @Eclips4 thanks for the hint, but in my opinion this is not sufficient. Take a look at these:
https://www.php.net/manual/en/function.eval.php https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
I doubt that anyone reading a documentation entry knows, that there is a separate page with an important information. The warning should be directly in the documentation.
JelleZijlstra
commented
2 weeks ago Agree that exec() and eval() should carry big red warnings in the docs; it's a bit surprising that they don't, when the considerably safer ast.literal_eval does (https://docs.python.org/3.13/library/ast.html#ast.literal_eval).
Please add a warning to both eval() and exec(). Also, please open an issue to link this PR to: usually that's not necessary for docs fixes, but I think this is important enough that it's good to add a bit more visibility.
DanielRuf
commented
2 weeks ago I've added now the warning for exec too. Creating the issue now.
Eclips4
commented
2 weeks ago LG for me. However there is one thing that I want to discuss: Do we need to add a similar note for the compile function?
📚 Documentation preview 📚: https://cpython-previews--118437.org.readthedocs.build/