From 9fa980bca248dc35124e709fbfa066e2aa3b283a Mon Sep 17 00:00:00 2001 From: Itz-Agasta Date: Tue, 20 Jan 2026 21:54:08 +0530 Subject: [PATCH 1/2] Replaces eval with json.loads for safer dict parsing Switches from eval to json.loads when parsing string representations of dictionaries to prevent arbitrary code execution. --- test/bdd/utils/checks.py | 2 +- test/bdd/utils/place_inserter.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/test/bdd/utils/checks.py b/test/bdd/utils/checks.py index c6822d4a..84032636 100644 --- a/test/bdd/utils/checks.py +++ b/test/bdd/utils/checks.py @@ -58,7 +58,7 @@ COMPARISON_FUNCS = { None: lambda val, exp: str(val) == exp, 'i': lambda val, exp: str(val).lower() == exp.lower(), 'fm': lambda val, exp: re.fullmatch(exp, val) is not None, - 'dict': lambda val, exp: val is None if exp == '-' else (val == eval('{' + exp + '}')), + 'dict': lambda val, exp: val is None if exp == '-' else (val == json.loads('{' + exp + '}')), 'in_box': within_box } diff --git a/test/bdd/utils/place_inserter.py b/test/bdd/utils/place_inserter.py index f0f17e0f..d12f30a5 100644 --- a/test/bdd/utils/place_inserter.py +++ b/test/bdd/utils/place_inserter.py @@ -7,6 +7,7 @@ """ Helper classes for filling the place table. """ +import json import random import string @@ -51,7 +52,7 @@ class PlaceColumn: elif key.startswith('addr+'): self._add_hstore('address', key[5:], value) elif key in ('name', 'address', 'extratags'): - self.columns[key] = eval('{' + value + '}') + self.columns[key] = json.loads('{' + value + '}') else: assert key in ('class', 'type'), "Unknown column '{}'.".format(key) self.columns[key] = None if value == '' else value From e77a4c2f350e6d1afbc2c6d5b16aeadf5701536b Mon Sep 17 00:00:00 2001 From: Itz-Agasta Date: Wed, 21 Jan 2026 11:33:17 +0530 Subject: [PATCH 2/2] Switch to ast.literal_eval for dict parsing Due to some test data in the BDD feature files includes Python raw strings and escape sequences that standard json.loads() cannot parse switching to safer Python literal evaluation for converting string representations of dictionaries. --- test/bdd/utils/checks.py | 4 +++- test/bdd/utils/place_inserter.py | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/test/bdd/utils/checks.py b/test/bdd/utils/checks.py index 84032636..1d09f378 100644 --- a/test/bdd/utils/checks.py +++ b/test/bdd/utils/checks.py @@ -7,6 +7,7 @@ """ Helper functions to compare expected values. """ +import ast import collections.abc import json import re @@ -58,7 +59,8 @@ COMPARISON_FUNCS = { None: lambda val, exp: str(val) == exp, 'i': lambda val, exp: str(val).lower() == exp.lower(), 'fm': lambda val, exp: re.fullmatch(exp, val) is not None, - 'dict': lambda val, exp: val is None if exp == '-' else (val == json.loads('{' + exp + '}')), + 'dict': lambda val, exp: (val is None if exp == '-' + else (val == ast.literal_eval('{' + exp + '}'))), 'in_box': within_box } diff --git a/test/bdd/utils/place_inserter.py b/test/bdd/utils/place_inserter.py index d12f30a5..6d37b850 100644 --- a/test/bdd/utils/place_inserter.py +++ b/test/bdd/utils/place_inserter.py @@ -7,7 +7,7 @@ """ Helper classes for filling the place table. """ -import json +import ast import random import string @@ -52,7 +52,7 @@ class PlaceColumn: elif key.startswith('addr+'): self._add_hstore('address', key[5:], value) elif key in ('name', 'address', 'extratags'): - self.columns[key] = json.loads('{' + value + '}') + self.columns[key] = ast.literal_eval('{' + value + '}') else: assert key in ('class', 'type'), "Unknown column '{}'.".format(key) self.columns[key] = None if value == '' else value