DOC: Update warning message in pandas.eval function #59108
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This pull request updates the pandas.eval documentation to add a security warning about the risks of arbitrary code execution when using the function with untrusted data. This update aims to enhance user awareness and security practices.
Background
The need for this documentation update was identified by Duarte Santos from Checkmarx's Research Group. A vulnerability was discovered that allows for arbitrary code execution through the misuse of
pandas.eval
with untrusted inputs.Proposed Change
Location: pandas.eval documentation
Update: Insert a warning advising users against the use of
pandas.eval
with untrusted data, highlighting the potential for arbitrary code execution.Warning Text:
Warning: Use
pandas.eval
only with trusted data. This function can execute arbitrary code if used with untrusted inputs, similar to the risks associated with Python'spickle
module documentation.Rationale
This documentation update is crucial for preventing security issues by making users aware of the risks associated with dynamic expression evaluation in pandas.eval. The update follows a preliminary discussion with the Pandas security team and is now presented for broader community feedback.
Thank you for considering this update to enhance the safety and integrity of code using Pandas.
Regards,
Eilon Cohen
Security Analyst, Checkmarx