43. Code Injection in Python (eval/exec misuse)

Code injection occurs when input is evaluated as code (e.g., via eval or exec). This can lead to full remote code execution.

Insecure Example

expr = input("Enter expression: ")
result = eval(expr)  # Dangerous: users can run arbitrary code

Secure Example

import ast, operator as op

# 43. Safe evaluator for simple arithmetic
allowed_ops = {ast.Add: op.add, ast.Sub: op.sub, ast.Mult: op.mul, ast.Div: op.truediv}

def safe_eval(expr):
    node = ast.parse(expr, mode='eval')
    def _eval(n):
        if isinstance(n, ast.Num):
            return n.n
        if isinstance(n, ast.BinOp) and type(n.op) in allowed_ops:
            return allowed_ops[type(n.op)](_eval(n.left), _eval(n.right))
        raise ValueError("Unsupported expression")
    return _eval(node.body)

print(safe_eval("2 + 3 * 4"))

✅ Lesson: Replace eval with restricted parsers or expression evaluators, never evaluate arbitrary input.