Hacker News new | ask | show | jobs
by baeaz 1274 days ago
That makes me think - would it be possible to have a runtime or build time option for cpython that removes eval() ?
2 comments
theptip 1274 days ago
If you run a security linter like ‘bandit’ you’ll get warnings for eval and other security holes.

It seems you can’t run bandit on deps, but perhaps if you fork them and build yourself?

If you are security conscious, having a rule that you can only install from a local pypi with packages you have forked would be a more defensible perimeter. But, a maintenance pain for sure.

link
bb88 1274 days ago
Probably. But python missed their chance to nix it with the 2->3 transition.

My favorite case was when a newbie coder used eval() to evaluate something that looked json-ish, which, came from an api request.

link
dtgriscom 1274 days ago
Simple and powerful. Gotta love it (until your customer doesn't, big-time).
link