Skip to content

Commit

Permalink
DOC: Document Remote Code Execution risk for Dataframe.query and comp…
Browse files Browse the repository at this point in the history
…utation.eval (pandas-dev#58697)
  • Loading branch information
r0rshark authored May 22, 2024
1 parent 7868a58 commit b5b2d38
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 0 deletions.
2 changes: 2 additions & 0 deletions pandas/core/computation/eval.py
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,8 @@ def eval(
corresponding bitwise operators. :class:`~pandas.Series` and
:class:`~pandas.DataFrame` objects are supported and behave as they would
with plain ol' Python evaluation.
`eval` can run arbitrary code which can make you vulnerable to code
injection if you pass user input to this function.
Parameters
----------
Expand Down
3 changes: 3 additions & 0 deletions pandas/core/frame.py
Original file line number Diff line number Diff line change
Expand Up @@ -4472,6 +4472,9 @@ def query(self, expr: str, *, inplace: bool = False, **kwargs) -> DataFrame | No
"""
Query the columns of a DataFrame with a boolean expression.
This method can run arbitrary code which can make you vulnerable to code
injection if you pass user input to this function.
Parameters
----------
expr : str
Expand Down

0 comments on commit b5b2d38

Please sign in to comment.