Eval Injection
Description
The application calls the `eval` function with non-literal data, allowing an adversary to compromise the system by executing arbitrary Python code.
Examples
Insecure Code
python
eval(user_supplied_data)Secure Code
python
user_object = json.loads(user_supplied_data)Remediation
Remove calls to `eval` and consider alternative methods for executing business logic, such as using `json.loads` for converting strings into objects.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0144 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-95 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | eval, injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |