‘input’ function used in Python 2¶

ID: py/use-of-input Kind: problem Security severity: 9.8 Severity: error Precision: high Tags: - security - correctness - external/cwe/cwe-094 - external/cwe/cwe-095 Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls 

Click to see the query in the CodeQL repository

In Python 2, a call to the input() function, input(prompt) is equivalent to eval(raw_input(prompt)). Evaluating user input without any checking can be a serious security flaw.

Recommendation¶

Get user input with raw_input(prompt) and then validate that input before evaluating. If the expected input is a number or string, then ast.literal_eval() can always be used safely.

References¶

Python Standard Library: input, ast.literal_eval.
Wikipedia: Data validation.
Common Weakness Enumeration: CWE-94.
Common Weakness Enumeration: CWE-95.

© GitHub, Inc.
Terms
Privacy