‘input’ function used in Python 2 ¶

ID: py/use-of-inputKind: problemSecurity severity: 9.8Severity: errorPrecision: highTags:   - security   - correctness   - external/cwe/cwe-094   - external/cwe/cwe-095Query suites:   - python-code-scanning.qls   - python-security-extended.qls   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

In Python 2, a call to theinput() function,input(prompt) is equivalent toeval(raw_input(prompt)). Evaluating user input without any checking can be a serious security flaw.

Recommendation¶

Get user input withraw_input(prompt) and then validate that input before evaluating. If the expected input is a number or string, thenast.literal_eval() can always be used safely.

References¶

Python Standard Library:input,ast.literal_eval.
Wikipedia:Data validation.
Common Weakness Enumeration:CWE-94.
Common Weakness Enumeration:CWE-95.

© GitHub, Inc.
Terms
Privacy

Movatterモバイル変換

‘input’ function used in Python 2¶

Recommendation¶

References¶

‘input’ function used in Python 2 ¶