Skip to content

🛡️ Sentinel: [CRITICAL] Restrict ast.Call in type string evaluation #355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bashandbone wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [CRITICAL] Restrict ast.Call in type string evaluation #355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,8 @@
**Vulnerability:** Found an unused `_attempt_import` function in `src/codeweaver/server/mcp/server.py` that dynamically imports a module directly from unvalidated configuration (`import_module(mw.rsplit(".", 1)[0])`), leading to potential arbitrary code execution.
**Learning:** Functions that perform dynamic imports should not be left around in the codebase if they are unused, especially if they are designed to take unvalidated strings as input.
**Prevention:** Avoid dynamic imports based on configuration or inputs without strict whitelisting. Use tools like `semgrep` with python security rules to actively catch these patterns.

## 2026-04-21 - Arbitrary code execution via ast.Call in type string evaluation
**Vulnerability:** Found that `_safe_eval_type` in `src/codeweaver/core/di/container.py` used an AST validator that allowed `ast.Call` nodes to execute any available callable in the evaluation namespace. By crafting a type annotation string like `"os.system('echo pwned')"` (provided `os` is injected or imported), an attacker could achieve arbitrary code execution because the validated string was subsequently evaluated with `eval()`.
**Learning:** Even when AST validation correctly rejects `__` dunder accesses and restricts allowed node types, allowing generic `ast.Call` nodes remains dangerous if the execution environment contains potent functions or objects. Whitelisting specific functions (like `Depends`) inside the `ast.Call` validator is required to prevent bypasses.
**Prevention:** Explicitly restrict function calls (`ast.Call`) in custom `eval` AST validators to only known, safe operations. Ensure any code dynamically evaluating parsed input never permits generic execution.
6 changes: 6 additions & 0 deletions src/codeweaver/core/di/container.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,12 @@ def generic_visit(self, node: ast.AST) -> None:
if isinstance(node, ast.Attribute) and node.attr.startswith("__"):
raise TypeError(f"Forbidden dunder attribute: {node.attr}")

# Security: Restrict calls to prevent arbitrary code execution during type evaluation
if isinstance(node, ast.Call) and (
not isinstance(node.func, ast.Name) or node.func.id != "Depends"
Comment on lines +140 to +141
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Consider allowing attribute-based Depends calls (e.g. fastapi.Depends) if those are expected in annotations.

Right now this only permits calls where node.func is a bare Name with id "Depends". Any use of fastapi.Depends(...) or some_module.Depends(...) will now raise a TypeError, which is a breaking change despite being semantically equivalent. If you want to keep those working, consider also allowing ast.Attribute nodes with attr == "Depends" (optionally constraining value to approved modules) while still rejecting arbitrary callables.

):
raise TypeError("Forbidden call type: only Depends() is allowed")
Comment on lines +139 to +143
Comment on lines +139 to +143

super().generic_visit(node)

try:
Expand Down
Loading