Python 3, Are there any known security holes in ast.literal_eval(node_or_string)?

by

The documentation states it is safe, and there is no bug relative to security of literal_eval in the bug tracker, so you can probably assume it is safe.

Also, according to the source, literal_eval parses the string to a python AST (source tree), and returns only if it is a literal. The code is never executed, only parsed, so there is no reason to be a security risk.

More Related Contents:

  1. How to add a label to all words in a file? [closed]
  2. Why does integer division yield a float instead of another integer?
  3. What do ellipsis […] mean in a list?
  4. Pinging servers in Python
  5. Reading file using relative path in python project
  6. How can I convert surrogate pairs to normal string in Python?
  7. Is there a ceiling equivalent of // operator in Python?
  8. What’s the difference between “update” and “update_idletasks”?
  9. Class inheritance in Python 3.7 dataclasses
  10. asyncio.sleep() vs time.sleep()
  11. Understanding time.perf_counter() and time.process_time()
  12. Directing print output to a .txt file
  13. Set up Python 3 build system with Sublime Text 3
  14. Securely Erasing Password in Memory (Python)
  15. Iterate over individual bytes in Python 3
  16. Tkinter resize background image to window size
  17. What does print()’s `flush` do?
  18. Self-reference or forward-reference of type annotations in Python [duplicate]
  19. ‘ModuleNotFoundError’ when trying to import module from imported package
  20. Is Python’s order of evaluation of function arguments and operands deterministic (+ where is it documented)?
  21. How to make a command case insensitive in discord.py
  22. Is this Python code vulnerable to SQL injection? (SQLite3)
  23. What does the slash mean when help() is listing method signatures?
  24. How to tell if a string contains valid Python code
  25. Appending to list in Python dictionary [duplicate]
  26. Installing TensorFlow on Windows (Python 3.6.x)
  27. Converting python string into bytes directly without eval()
  28. Why do I get “TypeError: not all arguments converted during string formatting” trying to substitute a placeholder like {0} using %?
  29. What are assignment expressions (using the “walrus” or “:=” operator)? Why was this syntax added?
  30. TypeError: cannot unpack non-iterable NoneType object

Leave a Comment