Running scripts generated from unsanitized inputs (for example, evaluating expressions that include user-provided strings) can lead to malicious behavior and inadvertently running code remotely.
1from flask import app
2
3
4@app.route('/')
5def execute_input_noncompliant():
6 from flask import request
7 module_version = request.args.get("module_version")
8 # Noncompliant: executes unsanitized inputs.
9 exec("import urllib%s as urllib" % module_version)
1from flask import app
2
3
4@app.route('/')
5def execute_input_compliant():
6 from flask import request
7 module_version = request.args.get("module_version")
8 # Compliant: executes sanitized inputs.
9 exec("import urllib%d as urllib" % int(module_version))