Python 3, Are there any known security holes in ast.literal_eval(node_or_string)?
Solution 1:
The documentation states it is safe, and there is no bug relative to security of literal_eval in the bug tracker, so you can probably assume it is safe.
Also, according to the source, literal_eval parses the string to a python AST (source tree), and returns only if it is a literal. The code is never executed, only parsed, so there is no reason to be a security risk.
Solution 2:
>>> code = '()' * 1000000
>>> ast.literal_eval(code)
[1] 3061 segmentation fault (core dumped) python2
or possibly smaller will crash with SIGSEGV
in Python 2. It might be exploitable under some conditions. This particular bug has been fixed in Python 3, but bugs may still exist in the AST parser.