Potential Code Injection via Pandas eval() or query()
Description
The use of pandas eval() and query() functions may be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Examples
Insecure Code
python
df = pandas.DataFrame({'A': [1, 2, 3]}); df.eval(user_input, inplace=True)Secure Code
python
df = pandas.DataFrame({'A': [1, 2, 3]}); df['B'] = df['A'] * 2Remediation
Validate and sanitize any user-provided input before passing it to pandas eval() or query() functions. Consider using safer alternatives, such as pandas DataFrame methods that do not involve dynamic evaluation.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0282 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-95 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | LOW |
| Exploitability | MODERATE |
| Tags | code injection, eval injection |
| OWASP | N/A |