From b5b2d380b5ff15e1f9911e8905fac6cd975e17e5 Mon Sep 17 00:00:00 2001
From: r0rshark <lord.fontana@gmail.com>
Date: Wed, 22 May 2024 23:00:45 +0200
Subject: [PATCH] DOC: Document Remote Code Execution risk for Dataframe.query
 and computation.eval (#58697)

---
 pandas/core/computation/eval.py | 2 ++
 pandas/core/frame.py            | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/pandas/core/computation/eval.py b/pandas/core/computation/eval.py
index c949cfd1bc657..fee08c6199eef 100644
--- a/pandas/core/computation/eval.py
+++ b/pandas/core/computation/eval.py
@@ -193,6 +193,8 @@ def eval(
     corresponding bitwise operators.  :class:`~pandas.Series` and
     :class:`~pandas.DataFrame` objects are supported and behave as they would
     with plain ol' Python evaluation.
+    `eval` can run arbitrary code which can make you vulnerable to code
+    injection if you pass user input to this function.
 
     Parameters
     ----------
diff --git a/pandas/core/frame.py b/pandas/core/frame.py
index c875ec78891d6..01ac5a2be3d79 100644
--- a/pandas/core/frame.py
+++ b/pandas/core/frame.py
@@ -4472,6 +4472,9 @@ def query(self, expr: str, *, inplace: bool = False, **kwargs) -> DataFrame | No
         """
         Query the columns of a DataFrame with a boolean expression.
 
+        This method can run arbitrary code which can make you vulnerable to code
+        injection if you pass user input to this function.
+
         Parameters
         ----------
         expr : str