sdk/python/Deserialization/PyAst

PyAst

The ast module exposes Python's abstract syntax tree. ast.literal_eval is a safe evaluator for literals only. The builtins eval() and exec() execute arbitrary Python code — RCE sinks on user input. compile() produces code objects that reach exec().

3 sinks1 sanitizer

Taint flow0 sources → 1 sanitizer → 3 sinks

Sanitizers — blocks taint

.literal_eval()

Sinks — dangerous call

.eval()Evaluates a Python expression

.exec()Executes Python code

.compile()Compiles source to a code object

Sinks

— dangerous functions taint must not reach

.eval()Sink

Signature

eval(expression, globals=None, locals=None) -> Any

Evaluates a Python expression. RCE sink when expression is user-controlled.

tracks:0

.exec()Sink

Signature

exec(object, globals=None, locals=None) -> None

Executes Python code. RCE sink on user-controlled source.

tracks:0

.compile()Sink

Signature

compile(source, filename, mode, flags=0, dont_inherit=False, optimize=-1)

Compiles source to a code object. Reaches exec / eval. Sink on user-controlled source.

tracks:0

Sanitizers

— functions that neutralize taint

.literal_eval()Sanitizer

Signature

ast.literal_eval(node_or_string) -> Any

Safely evaluates Python literals (str, int, list, dict, tuple, bool, None). Sanitizer replacement for eval().

tracks:return

Other Methods

.parse()Neutral

Signature

ast.parse(source, filename='<unknown>', mode='exec', ...) -> Module

Parses source into an AST. Neutral on its own.

Fully-Qualified Names

FQN	Field
ast	fqns[0]
builtins	fqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyAst

Next →PyCsv