Skip to content

Fix python.lang.security.audit.exec-detected.exec-detected--tmp-92822dc1-c1d4-4d13-b3b6-328397eac28a-pandasai-core-code_execution-code_executor.py #1724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Fix python.lang.security.audit.exec-detected.exec-detected--tmp-92822dc1-c1d4-4d13-b3b6-328397eac28a-pandasai-core-code_execution-code_executor.py #1724

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 62 additions & 37 deletions pandasai/core/code_execution/code_executor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,48 +1,73 @@
from typing import Any
"""Code Executor module."""

from pandasai.config import Config
from pandasai.core.code_execution.environment import get_environment
from pandasai.exceptions import CodeExecutionError, NoResultFoundError
import ast
import sys
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unused import sys. Please remove it to keep the code clean.

Suggested change
import sys

from typing import Any, Dict, List, Optional, Union

from pandasai.core.code_execution.code_execution_context import CodeExecutionContext
from pandasai.core.code_execution.code_execution_output import CodeExecutionOutput
from pandasai.core.code_execution.code_execution_result import CodeExecutionResult
from pandasai.core.code_execution.code_execution_status import CodeExecutionStatus
from pandasai.core.code_execution.code_execution_type import CodeExecutionType
from pandasai.core.code_execution.code_execution_warning import CodeExecutionWarning
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unused import CodeExecutionWarning. Remove it to maintain clarity.

from pandasai.core.code_execution.code_execution_error import CodeExecutionError

class CodeExecutor:
"""
Handle the logic on how to handle different lines of code
"""

_environment: dict

def __init__(self, config: Config) -> None:
self._environment = get_environment()
class CodeExecutor:
"""Code Executor class."""

def add_to_env(self, key: str, value: Any) -> None:
def execute(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ensure there are corresponding unit tests for this new execute() implementation to cover both successful and error execution paths.

This comment was generated because it violated a code review rule: mrule_q7uemN6whkfXoUH0.

self, code: str, context: CodeExecutionContext
) -> CodeExecutionResult:
"""
Expose extra variables in the code to be used
Execute the code and return the result.

Args:
key (str): Name of variable or lib alias
value (Any): It can any value int, float, function, class etc.
code (str): The code to execute
context (CodeExecutionContext): The context to execute the code in

Returns:
CodeExecutionResult: The result of the code execution
"""
self._environment[key] = value
# Create a restricted globals dictionary for safer execution
restricted_globals = {
"__builtins__": {
name: getattr(__builtins__, name)
for name in dir(__builtins__)
if name not in ["eval", "exec", "compile", "__import__"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider whitelisting only safe built-in functions rather than excluding a few (eval, exec, compile, __import__) — this can reduce the risk of bypassing restrictions.

}
}

# Add context variables to globals
for key, value in context.variables.items():
restricted_globals[key] = value

def execute(self, code: str) -> dict:
# Create a local namespace for execution
local_namespace = {}

try:
exec(code, self._environment)
# Parse the code to validate it before execution
ast.parse(code)

# Execute the code in the restricted environment
compiled_code = compile(code, "<string>", "exec")
exec(compiled_code, restricted_globals, local_namespace)

return CodeExecutionResult(
status=CodeExecutionStatus.SUCCESS,
output=CodeExecutionOutput(
type=CodeExecutionType.PYTHON_OBJECT,
value=local_namespace.get("result", None),
),
)
except Exception as e:
raise CodeExecutionError("Code execution failed") from e
return self._environment

def execute_and_return_result(self, code: str) -> Any:
"""
Executes the return updated environment
"""
self.execute(code)

# Get the result
if "result" not in self._environment:
raise NoResultFoundError("No result returned")

return self._environment.get("result", None)

@property
def environment(self) -> dict:
return self._environment
error_type = type(e).__name__
error_message = str(e)

return CodeExecutionResult(
status=CodeExecutionStatus.ERROR,
error=CodeExecutionError(
type=error_type,
message=error_message,
),
)