Python Security: When Should I Use `ast.literal_eval()` Instead of `eval()`?

Python's eval() vs. ast.literal_eval()

Original Problem:

Using eval() for user-provided input can be dangerous. How can the ast module's .literal_eval() offer a safer alternative?

Eval Function:

The eval() function evaluates Python statements. The input can be a string containing Python code, and eval() returns the result of executing that code.

Dangers of Eval:

However, eval() can be dangerous because it has the potential to execute arbitrary code, even code that you didn't intend. For instance, if a user provides input like:

eval("import os; os.system('rm -rf *')")

It would execute the command that deletes all files in the current directory.

Using Literal Eval:

Unlike eval(), the ast.literal_eval() function only evaluates numeric literals, strings, booleans, and dictionaries. This makes it much safer for handling user-provided data, as it will not execute arbitrary code. For example, in the provided code:

datamap = ast.literal_eval(input('Provide some data here: '))

The code will only evaluate the input if it can be parsed as a dictionary, preventing any potential security risks. If the input is not a valid dictionary, ast.literal_eval() will raise an exception. Therefore, ast.literal_eval() should always be preferred over eval() for processing untrusted input.

The above is the detailed content of Python Security: When Should I Use `ast.literal_eval()` Instead of `eval()`?. For more information, please follow other related articles on the PHP Chinese website!