From e396094651816c7011712f36318981a0e8e0632b Mon Sep 17 00:00:00 2001
From: orbisai0security <orbisai0security@users.noreply.github.com>
Date: Wed, 19 Nov 2025 03:49:08 +0000
Subject: [PATCH] fix: resolve high vulnerability
 python.lang.security.audit.eval-detected.eval-detected

Automatically generated security fix
---
 skyvern/services/script_service.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/skyvern/services/script_service.py b/skyvern/services/script_service.py
index 2541b17cff..6f6f2df6a2 100644
--- a/skyvern/services/script_service.py
+++ b/skyvern/services/script_service.py
@@ -1707,11 +1707,17 @@ def render_template(template: str, data: dict[str, Any] | None = None) -> str:
 
 def render_list(template: str, data: dict[str, Any] | None = None) -> list[str]:
     rendered_value = render_template(template, data)
-    list_value = eval(rendered_value)
-    if isinstance(list_value, list):
-        return list_value
-    else:
-        return [list_value]
+    try:
+        # Use ast.literal_eval instead of eval for security - only evaluates literal expressions
+        import ast
+        list_value = ast.literal_eval(rendered_value)
+        if isinstance(list_value, list):
+            return list_value
+        else:
+            return [list_value]
+    except (ValueError, SyntaxError) as e:
+        # If ast.literal_eval fails, treat the rendered value as a single string item
+        return [rendered_value]
 
 
 # Non-task-based blocks