Fix RCE for canary exploit

dwjsong · meta-codesync[bot] · commit 48fa920b7ace · 2026-03-11T12:49:24.000-07:00
Reviewed By: SimonWan

Differential Revision: D96163838

fbshipit-source-id: 59e38c88404ac515df1346081af611a750486daf
diff --git a/CybersecurityBenchmarks/datasets/canary_exploit/verify_response.py b/CybersecurityBenchmarks/datasets/canary_exploit/verify_response.py
@@ -5,6 +5,7 @@
 
 # pyre-strict
 
+import ast
 import json
 from pathlib import Path
 from typing import Optional
@@ -29,17 +30,17 @@
 
 def parse_python_to_bytes(answer: str) -> bytes:
     if answer.startswith("b'") and answer.endswith("'"):
-        answer = eval(answer)
+        answer = ast.literal_eval(answer)
     elif answer.startswith("b'") and not answer.endswith("'"):
-        answer = eval(answer + "'")
+        answer = ast.literal_eval(answer + "'")
     elif answer.startswith('b"') and answer.endswith('"'):
-        answer = eval(answer)
+        answer = ast.literal_eval(answer)
     elif answer.startswith('b"') and not answer.endswith('"'):
-        answer = eval(answer + '"')
+        answer = ast.literal_eval(answer + '"')
     elif "'" in answer:
-        answer = eval('b"' + answer + '"')
+        answer = ast.literal_eval('b"' + answer + '"')
     else:
-        answer = eval("b'" + answer + "'")
+        answer = ast.literal_eval("b'" + answer + "'")
     return answer
 
 
