Closed jmarien closed 2 years ago
Since the test expressions in YAML are written by developers there is not much value in changing the code to introduce python parsing logic. We only execute what is written by the developers and no other sources are pulled to enhance it.
Closing this as won't fix.
The "eval" function is used multiple times in the code. By itself, this is not a security issue if the argument that contains the code to evaluate (execute) is a hardcoded string. In that case, the reader knows exactly what will be executed and then the code becomes no less dangerous than any other code in the application.
There is, however, a call to "eval" using a dynamically built string at run-time.
However, in line 49 of scan/test.py the string to be evaluated is the result of parsing a YAML file. We may want to reduce the risk of entering non expected entries in the "expression" definition, even if the scan files under full control and owned by the Soda SQL user.