Executing code dynamically is security-sensitive. It has led in the past to the following vulnerabilities:
It is dangerous to execute unknown code in your process. Such Injected Code can either run on the server or in the client (exemple: XSS attack).
This rule marks for review each occurence of such dynamic code execution. The goal is to guide security code reviews.
You are at risk if you answered yes to any of these questions.
Regarding the execution of unknown code, the best solution is to not run code provided by an untrusted source. If you really need to do it, run the code in a sandboxed environment. Use jails, firewalls and whatever means your operating system and programming language provide (example: Security Managers in java, iframes and same-origin policy for javascript in a web browser).
Do not try to create a blacklist of dangerous code. It is impossible to cover all attacks that way.
import os
value = input()
command = 'os.system("%s")' % value
def evaluate(command, file, mode):
eval(command) # Questionable.
eval(command) # Questionable. Dynamic code
def execute(code, file, mode):
exec(code) # Questionable.
exec(compile(code, file, mode)) # Questionable.
exec(command) # Questionable.
None