From 64af0eae3a2b269ed7da3d7f3de8c28800e436fd Mon Sep 17 00:00:00 2001 From: eilonc-cx <160746118+eilonc-cx@users.noreply.github.com> Date: Wed, 26 Jun 2024 16:10:42 +0300 Subject: [PATCH 1/4] Update warning message in pandas.eval function Modify warning to indicate the risks using eval func. --- pandas/core/computation/eval.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pandas/core/computation/eval.py b/pandas/core/computation/eval.py index fee08c6199eef..4fa075809b403 100644 --- a/pandas/core/computation/eval.py +++ b/pandas/core/computation/eval.py @@ -193,8 +193,11 @@ def eval( corresponding bitwise operators. :class:`~pandas.Series` and :class:`~pandas.DataFrame` objects are supported and behave as they would with plain ol' Python evaluation. - `eval` can run arbitrary code which can make you vulnerable to code - injection if you pass user input to this function. + Warning: The `pandas.eval` function is not secure when processing untrusted data. Only use this function with data you trust. + It is possible to utilize the `pandas.eval` function in ways that could allow execution of arbitrary code via specially crafted input. + Never use this function with data that could have come from an untrusted source or has been tampered with. + Consider more stringent checks or safer alternatives when dealing with untrusted data. + Parameters ---------- From ec019bb6659f04d58d85626e6f7296878af54632 Mon Sep 17 00:00:00 2001 From: eilonc-cx <160746118+eilonc-cx@users.noreply.github.com> Date: Wed, 26 Jun 2024 18:15:47 +0300 Subject: [PATCH 2/4] Update pandas.eval function warning message - fix Docstring --- pandas/core/computation/eval.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pandas/core/computation/eval.py b/pandas/core/computation/eval.py index 4fa075809b403..934e385e0f0ac 100644 --- a/pandas/core/computation/eval.py +++ b/pandas/core/computation/eval.py @@ -193,12 +193,11 @@ def eval( corresponding bitwise operators. :class:`~pandas.Series` and :class:`~pandas.DataFrame` objects are supported and behave as they would with plain ol' Python evaluation. + Warning: The `pandas.eval` function is not secure when processing untrusted data. Only use this function with data you trust. - It is possible to utilize the `pandas.eval` function in ways that could allow execution of arbitrary code via specially crafted input. - Never use this function with data that could have come from an untrusted source or has been tampered with. + It is possible to utilize the `pandas.eval` function in ways that could allow execution of arbitrary code via specially crafted input.Never use this function with data that could have come from an untrusted source or has been tampered with. Consider more stringent checks or safer alternatives when dealing with untrusted data. - Parameters ---------- expr : str From aecaf981e10be08d9d5e49b244532ee4eb00364d Mon Sep 17 00:00:00 2001 From: eilonc-cx <160746118+eilonc-cx@users.noreply.github.com> Date: Wed, 26 Jun 2024 19:45:35 +0300 Subject: [PATCH 3/4] Update pandas/core/computation/eval.py Co-authored-by: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> --- pandas/core/computation/eval.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pandas/core/computation/eval.py b/pandas/core/computation/eval.py index 934e385e0f0ac..08de39551d8dd 100644 --- a/pandas/core/computation/eval.py +++ b/pandas/core/computation/eval.py @@ -194,9 +194,10 @@ def eval( :class:`~pandas.DataFrame` objects are supported and behave as they would with plain ol' Python evaluation. - Warning: The `pandas.eval` function is not secure when processing untrusted data. Only use this function with data you trust. - It is possible to utilize the `pandas.eval` function in ways that could allow execution of arbitrary code via specially crafted input.Never use this function with data that could have come from an untrusted source or has been tampered with. - Consider more stringent checks or safer alternatives when dealing with untrusted data. + .. warning:: + + ``eval`` can run arbitrary code which can make you vulnerable to code + injection and untrusted data. Parameters ---------- From e3542a0cc59950bd55b63c93978ac20d2061ae6f Mon Sep 17 00:00:00 2001 From: Matthew Roeschke <10647082+mroeschke@users.noreply.github.com> Date: Thu, 27 Jun 2024 08:19:19 -0700 Subject: [PATCH 4/4] Update pandas/core/computation/eval.py --- pandas/core/computation/eval.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pandas/core/computation/eval.py b/pandas/core/computation/eval.py index 08de39551d8dd..aad768d31483a 100644 --- a/pandas/core/computation/eval.py +++ b/pandas/core/computation/eval.py @@ -193,9 +193,9 @@ def eval( corresponding bitwise operators. :class:`~pandas.Series` and :class:`~pandas.DataFrame` objects are supported and behave as they would with plain ol' Python evaluation. - + .. warning:: - + ``eval`` can run arbitrary code which can make you vulnerable to code injection and untrusted data.