hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-25 05:06:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
eda25bb402cabd243b71f5f429b5ecdd420965fc
codeql/python/ql/src/Expressions/UseofInput.qhelp
Rasmus Wriedt Larsen 8f70101572 Python: docs: Use <code> tag consistently in UseofInput.qhelp
2020-02-25 15:40:08 +01:00

24 lines
910 B
XML
Raw Blame History

<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>In Python 2, a call to the <code>input()</code> function, <code>input(prompt)</code> is equivalent to <code>eval(raw_input(prompt))</code>. Evaluating user input without any checking can be a serious security flaw.</p>
</overview>
<recommendation>
<p>Get user input with <code>raw_input(prompt)</code> and then validate that input before evaluating. If the expected input is a number or
string, then <code>ast.literal_eval()</code> can always be used safely.</p>
</recommendation>
<references>
<li>Python Standard Library: <a href="http://docs.python.org/2/library/functions.html#input">input</a>,
<a href="http://docs.python.org/2/library/ast.html#ast.literal_eval">ast.literal_eval</a>.</li>
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Data_validation">Data validation</a>.</li>
</references>
</qhelp>
Reference in New Issue View Git Blame Copy Permalink