Replace eval() with ast.literal_eval() for security reasons

Summary: Context: T176600074 As per https://www.internalfb.com/intern/staticdocs/pyre/docs/fb/warning_codes/code-5001, one of the recommended solutions is to replace eval() with ast.literal_eval() Reviewed By: wat3rBro Differential Revision: D56144071 fbshipit-source-id: 28f90ccbadb74455b70062ec0f058ae84ce402ee
facebookresearch · Apr 15, 2024 · 9ca6689 · 9ca6689
1 parent b7c7f4b
commit 9ca6689
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/detectron2/config/lazy.py b/detectron2/config/lazy.py
@@ -365,7 +365,7 @@ def safe_update(cfg, key, value):
             for o in overrides:
                 key, value = o.split("=")
                 try:
-                    value = eval(value, {})
+                    value = ast.literal_eval(value)
                 except NameError:
                     pass
                 safe_update(cfg, key, value)

diff --git a/tests/config/test_lazy_config.py b/tests/config/test_lazy_config.py
@@ -53,7 +53,7 @@ def test_overrides(self):
         self.assertEqual(cfg.dir1b_dict.a, "123")
         self.assertEqual(cfg.lazyobj.x, 123)
 
-        LazyConfig.apply_overrides(cfg, ["dir1b_dict.a=abc"])
+        LazyConfig.apply_overrides(cfg, ["dir1b_dict.a='abc'"])
         self.assertEqual(cfg.dir1b_dict.a, "abc")
 
     def test_invalid_overrides(self):