-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ADD] eval-referenced: Detects if a "eval" is referenced (without call it) #101
[ADD] eval-referenced: Detects if a "eval" is referenced (without call it) #101
Conversation
e304d23
to
064449e
Compare
…l it) Cases detected: my_dict = { 'my_eval': eval, # [eval-used] } my_list = [eval] # [eval-used] my_var = eval # [eval-used] my_var('d = 3') # [eval-used] func2(eval) # [eval-used]
064449e
to
8002bd7
Compare
The history of this check is funny. I reviewed a old code because a translation wasn't loaded. context_used_in_report = {
'eval': eval,
} You know, the report is a template data loaded directly in the database. The big vulnerability was injected 😢 pylint native detects just Really this case is very dangerous and so hard to detect visually. FYI maintainer of pylint don't like this check pylint-dev/pylint#1215 |
OK, I see the potential problem, and indeed we can detect this. In Odoo modules, no eval should be used (only safe_eval). |
Yeah I think this is a good idea @JesusZapata & @moylop260 - thank you. I see where the maintainers of PyLint are coming from, but here in Odoo land it is like @pedrobaeza says - there is never a reason in which we should not be using |
# -*- coding: utf-8 -*- | ||
|
||
|
||
def func2(param): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we name these methods something a little more descriptive? I know they're test methods, but func2
and func3
really hold no context on their own and require that you read the methods, or at least the doc block, to understand what they are doing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was extracted from original test of pylint.
Here we can fails all good practices.
But we dont have problem to change it
What is a good name for you in this case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ummm maybe something similar to the docblocks? eval_from_param
and eval_from_other
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thansk @JesusZapata
@lasley Thanks |
@JesusZapata |
Detects referenced and inferred cases