fix(cli): replace eval with ast.literal_eval in parse_unknown_args_to_dict (#7390)

eval() on unsanitized CLI input allowed arbitrary code execution via crafted --key payloads. ast.literal_eval is a safe drop-in that only parses Python literals and raises ValueError/SyntaxError on expressions. Also narrows the except clause and fixes the fallback key stripping bug. Co-authored-by: Danglewood <85772166+deeleeramone@users.noreply.github.com>
2026-05-06 22:12:12 +08:00 · 2026-03-04 21:47:44 +05:30
parent 495a670a99
commit 0479f7324f
1 changed files with 5 additions and 6 deletions
--- a/cli/openbb_cli/controllers/utils.py
+++ b/cli/openbb_cli/controllers/utils.py
@@ -1,6 +1,7 @@
 """Utils."""

 import argparse
+import ast
 import os
 import random
 import re
@@ -920,13 +921,11 @@ def parse_unknown_args_to_dict(unknown_args: list[str] | None) -> dict[str, str]
            if arg.startswith("--"):
                if idx + 1 < len(unknown_args):
                    try:
-                        unknown_args_dict[arg.replace("--", "")] = (
-                            eval(  # noqa: S307, E501 pylint: disable=eval-used
-                                unknown_args[idx + 1]
-                            )
+                        unknown_args_dict[arg.replace("--", "")] = ast.literal_eval(
+                            unknown_args[idx + 1]
                        )
-                    except Exception:
-                        unknown_args_dict[arg] = unknown_args[idx + 1]
+                    except (ValueError, SyntaxError):
+                        unknown_args_dict[arg.replace("--", "")] = unknown_args[idx + 1]
                else:
                    session.console.print(
                        f"Missing value for argument {arg}. Skipping this argument."