Skip to content
This repository was archived by the owner on Jun 16, 2026. It is now read-only.
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,8 @@
**Vulnerability:** Found an unused `_attempt_import` function in `src/codeweaver/server/mcp/server.py` that dynamically imports a module directly from unvalidated configuration (`import_module(mw.rsplit(".", 1)[0])`), leading to potential arbitrary code execution.
**Learning:** Functions that perform dynamic imports should not be left around in the codebase if they are unused, especially if they are designed to take unvalidated strings as input.
**Prevention:** Avoid dynamic imports based on configuration or inputs without strict whitelisting. Use tools like `semgrep` with python security rules to actively catch these patterns.

## 2026-04-21 - Arbitrary code execution vulnerability in type string evaluation
**Vulnerability:** Found a critical vulnerability in `_safe_eval_type` inside `src/codeweaver/core/di/container.py` where the AST validator did not restrict `ast.Call` nodes. This could allow for arbitrary code execution during `eval()` since any callable in the global namespace could be executed if present in a type string annotation.
**Learning:** When using `eval()` in restricted environments, it is crucial to meticulously validate all AST nodes to prevent executing unwanted code. Even with restricted built-ins, allowing generic function calls via `ast.Call` defeats the purpose of the security boundary.
**Prevention:** Always restrict `ast.Call` nodes to a strict whitelist of explicitly required functions (like `Depends`, `Field`, `Parameter`) when validating AST trees for dynamic type evaluation.
15 changes: 14 additions & 1 deletion src/codeweaver/core/di/container.py
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ def __init__(self) -> None:
self._request_cache: dict[Any, Any] = {} # Keys can be types or callables
self._providers_loaded: bool = False # Track if auto-discovery has run

def _safe_eval_type(self, type_str: str, globalns: dict[str, Any]) -> Any | None:
def _safe_eval_type(self, type_str: str, globalns: dict[str, Any]) -> Any | None: # noqa: C901
"""Safely evaluate a type string using AST validation.

Parses the type string into an AST, validates that it contains only safe
Expand Down Expand Up @@ -136,6 +136,19 @@ def generic_visit(self, node: ast.AST) -> None:
if isinstance(node, ast.Attribute) and node.attr.startswith("__"):
raise TypeError(f"Forbidden dunder attribute: {node.attr}")

# Security concern: Restrict ast.Call to strictly whitelisted functions to prevent
# arbitrary code execution during eval().
if isinstance(node, ast.Call):
allowed_funcs = {"Depends", "depends", "Field", "PrivateAttr", "Tag", "Parameter"}
func_name = None
if isinstance(node.func, ast.Name):
func_name = node.func.id
elif isinstance(node.func, ast.Attribute):
func_name = node.func.attr

if func_name not in allowed_funcs:
Comment on lines +141 to +149

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 issue (security): Attribute calls are validated only by attribute name, not by the owning object/module, which may weaken the intended security guarantees.

Because ast.Attribute calls are allowed solely by attribute name, any object exposing a Depends/Field/etc. attribute can be invoked. If this is meant to harden eval against arbitrary execution, consider also validating the attribute base (e.g., only allow attributes from specific known modules/symbols). Otherwise, an attacker could route a dangerous callable through a whitelisted attribute name and still bypass the restriction.

raise TypeError(f"Forbidden function call in type string: {func_name}")

super().generic_visit(node)

try:
Expand Down
Loading