Do not use eval()

Avoid dynamic evaluation of code, such as eval(code).

If the user has control over evaluated code (because the code is concatenated with user data), this leads to 'script injection' vulnerabilities, which could end in well-known security attacks.

The Python built-in function eval() parses and evaluates a Python expression passed to it as a string. This behavior introduces a serious security risk, especially when eval() processes data that can be influenced by external users. If attackers can inject or manipulate the input, they may execute arbitrary code within the context of the application.

Commonly exploited in web applications, eval() opens the door to Remote Code Execution (RCE) vulnerabilities, one of the most critical classes of security issues.

Example of vulnerable usage:

Even attempting to sanitize user input is generally unreliable and prone to bypasses. It is recommended to completely avoid the use of eval().

Replace eval() with safer alternatives, such as ast.literal_eval() for evaluating Python literals (strings, numbers, lists, dicts, etc.), or implement custom parsing logic tailored to your specific needs.

Safer alternative example:

Avoid scenarios where dynamic evaluation of code is necessary. If a use case seems to require eval(), reconsider the design. Static mappings (like dictionaries or function dispatch tables) can often replace dynamic evaluation.

By enforcing the no_use_eval rule, development teams can significantly reduce the attack surface of their Python applications and maintain a more secure codebase.

This detector does not need any configuration.