Replaces eval with json.loads for safer dict parsing

Switches from eval to json.loads when parsing string representations of dictionaries to prevent arbitrary code execution.
2026-01-20 21:54:08 +05:30
parent fe773c12b2
commit 9fa980bca2
2 changed files with 3 additions and 2 deletions
--- a/test/bdd/utils/place_inserter.py
+++ b/test/bdd/utils/place_inserter.py
@@ -7,6 +7,7 @@
 """
 Helper classes for filling the place table.
 """
+import json
 import random
 import string

@@ -51,7 +52,7 @@ class PlaceColumn:
        elif key.startswith('addr+'):
            self._add_hstore('address', key[5:], value)
        elif key in ('name', 'address', 'extratags'):
-            self.columns[key] = eval('{' + value + '}')
+            self.columns[key] = json.loads('{' + value + '}')
        else:
            assert key in ('class', 'type'), "Unknown column '{}'.".format(key)
            self.columns[key] = None if value == '' else value