Python 3, Are there any known security holes in ast.literal_eval(node_or_string)?

python python-3.x security abstract-syntax-tree

Solution 1:

The documentation states it is safe, and there is no bug relative to security of literal_eval in the bug tracker, so you can probably assume it is safe.

Also, according to the source, literal_eval parses the string to a python AST (source tree), and returns only if it is a literal. The code is never executed, only parsed, so there is no reason to be a security risk.

Solution 2:

>>> code = '()' * 1000000
>>> ast.literal_eval(code)
[1]    3061 segmentation fault (core dumped)  python2

or possibly smaller will crash with SIGSEGV in Python 2. It might be exploitable under some conditions. This particular bug has been fixed in Python 3, but bugs may still exist in the AST parser.

Related

Optional permissions so an app can show on all devices and enable optional features on some?
Spark 2.0.x dump a csv file from a dataframe containing one array of type string
Enum in Hibernate, persisting as an enum
Difference between onbeforeunload and onunload
Can a URL contain a semicolon and still be valid?
Java Package Does Not Exist Error
How to change content on hover
Converting a WebClient method to async / await
Get certificate fingerprint of HTTPS server from command line?
What is the current state of the "scoped" attribute for the style element in HTML5?
Is it possible get information about caller function in Golang?
JAXB Exception: Class not known to this context