DOC: Document Remote Code Execution risk for Dataframe.query and comp…

…utation.eval (#58697)
pandas-dev · May 22, 2024 · b5b2d38 · b5b2d38
1 parent 7868a58
commit b5b2d38
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/pandas/core/computation/eval.py b/pandas/core/computation/eval.py
@@ -193,6 +193,8 @@ def eval(
     corresponding bitwise operators.  :class:`~pandas.Series` and
     :class:`~pandas.DataFrame` objects are supported and behave as they would
     with plain ol' Python evaluation.
+    `eval` can run arbitrary code which can make you vulnerable to code
+    injection if you pass user input to this function.
 
     Parameters
     ----------

diff --git a/pandas/core/frame.py b/pandas/core/frame.py
@@ -4472,6 +4472,9 @@ def query(self, expr: str, *, inplace: bool = False, **kwargs) -> DataFrame | No
         """
         Query the columns of a DataFrame with a boolean expression.
 
+        This method can run arbitrary code which can make you vulnerable to code
+        injection if you pass user input to this function.
+
         Parameters
         ----------
         expr : str