fix(bug-predict): Reduce false positives in dangerous_eval detection

GeneAI · claude · GeneAI · commit 657f4e5c9732 · 2025-12-30T19:11:48.000-05:00
Added _is_dangerous_eval_usage() helper function that filters out: - Detection code (e.g., 'if "eval(" in content') - Comments mentioning eval/exec (e.g., '# SECURITY FIX: Use json.loads()') - JavaScript's safe regex.exec() method - String literals in pattern definitions for security scanners This significantly reduces false positives when scanning codebases that contain security scanning tools or documented security fixes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/src/empathy_os/workflows/bug_predict.py b/src/empathy_os/workflows/bug_predict.py
@@ -15,12 +15,95 @@
 """
 
 import json
+import re
 from pathlib import Path
 from typing import Any
 
 from .base import BaseWorkflow, ModelTier
 from .step_config import WorkflowStepConfig
 
+
+def _is_dangerous_eval_usage(content: str, file_path: str) -> bool:
+    """
+    Check if file contains dangerous eval/exec usage, filtering false positives.
+
+    Excludes:
+    - String literals used for detection (e.g., 'if "eval(" in content')
+    - Comments mentioning eval/exec (e.g., '# SECURITY FIX: Use json.loads() instead of eval()')
+    - JavaScript's safe regex.exec() method
+    - Pattern definitions for security scanners
+
+    Returns:
+        True if dangerous eval/exec usage is found, False otherwise.
+    """
+    # Check if file even contains eval or exec
+    if "eval(" not in content and "exec(" not in content:
+        return False
+
+    # For JavaScript/TypeScript files, check for regex.exec() which is safe
+    if file_path.endswith((".js", ".ts", ".tsx", ".jsx")):
+        # Remove all regex.exec() calls (these are safe)
+        content_without_regex_exec = re.sub(r"\.\s*exec\s*\(", ".SAFE_EXEC(", content)
+        # If no eval/exec remains, it was all regex.exec()
+        if "eval(" not in content_without_regex_exec and "exec(" not in content_without_regex_exec:
+            return False
+
+    # Check each line for real dangerous usage
+    lines = content.splitlines()
+    for line in lines:
+        # Skip comment lines
+        stripped = line.strip()
+        if stripped.startswith("#") or stripped.startswith("//") or stripped.startswith("*"):
+            continue
+
+        # Check for eval( or exec( in this line
+        if "eval(" not in line and "exec(" not in line:
+            continue
+
+        # Skip if it's inside a string literal for detection purposes
+        # e.g., 'if "eval(" in content' or "pattern = r'eval\('"
+        detection_patterns = [
+            r'["\'].*eval\(.*["\']',  # "eval(" or 'eval(' in a string
+            r'["\'].*exec\(.*["\']',  # "exec(" or 'exec(' in a string
+            r"in\s+\w+",  # Pattern like 'in content'
+            r'r["\'].*eval',  # Raw string regex pattern
+            r'r["\'].*exec',  # Raw string regex pattern
+        ]
+
+        is_detection_code = False
+        for pattern in detection_patterns:
+            if re.search(pattern, line):
+                # Check if it's really detection code
+                if " in " in line and (
+                    "content" in line or "text" in line or "code" in line or "source" in line
+                ):
+                    is_detection_code = True
+                    break
+                # Check if it's a string literal being defined (eval or exec)
+                if re.search(r'["\'][^"\']*eval\([^"\']*["\']', line):
+                    is_detection_code = True
+                    break
+                if re.search(r'["\'][^"\']*exec\([^"\']*["\']', line):
+                    is_detection_code = True
+                    break
+                # Check for raw string regex patterns containing eval/exec
+                if re.search(r"r['\"][^'\"]*(?:eval|exec)[^'\"]*['\"]", line):
+                    is_detection_code = True
+                    break
+
+        if is_detection_code:
+            continue
+
+        # Skip JavaScript regex.exec() - pattern.exec(text)
+        if re.search(r"\w+\.exec\s*\(", line):
+            continue
+
+        # This looks like real dangerous usage
+        return True
+
+    return False
+
+
 # Define step configurations for executor-based execution
 BUG_PREDICT_STEPS = {
     "recommend": WorkflowStepConfig(
@@ -193,7 +276,8 @@ async def _scan(self, input_data: dict, tier: ModelTier) -> tuple[dict, int, int
                                     "severity": "low",
                                 }
                             )
-                        if "eval(" in content or "exec(" in content:
+                        # Use smart detection to filter false positives
+                        if _is_dangerous_eval_usage(content, str(file_path)):
                             patterns_found.append(
                                 {
                                     "file": str(file_path),
