Skip to content

[BUG][HIGH] Use of eval() in assignment update is a code injection risk #671

Closed
Closed
[BUG][HIGH] Use of eval() in assignment update is a code injection risk#671
Assignees
sadsfae
Labels
Prioritybug

Description

@kambiz-aghaiepour
kambiz-aghaiepour
opened on Jun 10, 2026

Description

The assignment update endpoint uses eval() to convert string boolean values:

# src/quads/server/blueprints/assignments.py:538-539
if type(_value) is str:
    if _value.lower() in ["true", "false"]:
        value = eval(_value.lower().capitalize())

While currently constrained to "True" and "False", using eval() is inherently dangerous. A future code change expanding the match set could introduce remote code execution.

Affected Code

  • src/quads/server/blueprints/assignments.py:538-539 (update_assignment)

Recommended Fix

Replace with a safe mapping:

bool_map = {"true": True, "false": False}
if _value.lower() in bool_map:
    value = bool_map[_value.lower()]

Metadata

Metadata

Assignees

Labels

Prioritybug

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions