‘input’ function used in Python 2¶

ID: py/use-of-input
Kind: problem
Security severity: 9.8
Severity: error
Precision: high
Tags:
   - security
   - correctness
   - external/cwe/cwe-094
   - external/cwe/cwe-095
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

In Python 2, a call to the input() function, input(prompt) is equivalent to eval(raw_input(prompt)). Evaluating user input without any checking can be a serious security flaw.

Recommendation¶

Get user input with raw_input(prompt) and then validate that input before evaluating. If the expected input is a number or string, then ast.literal_eval() can always be used safely.

References¶

Python Standard Library: input, ast.literal_eval.
Wikipedia: Data validation.
Common Weakness Enumeration: CWE-94.
Common Weakness Enumeration: CWE-95.

© GitHub, Inc.
Terms
Privacy