fix: Exclude Redis eval() from security audit

rand · rand · commit 88771722784d · 2025-10-30T17:11:45.000-06:00
Redis client.eval() is a legitimate Redis EVAL command, not Python's
dangerous eval(). Updated pattern to exclude:
- redis_client.eval()
- redisClient.eval()
- redis.eval()

Results:
- CRITICAL: 16 → 14 (85.4% reduction from original 96)
- Total: 2758 → 2756

This fixes 2 false positives in API rate limiting examples.
diff --git a/tests/security_audit.py b/tests/security_audit.py
@@ -84,7 +84,8 @@ def __init__(self, verbose: bool = False):
 
         # Command injection patterns
         self.injection_patterns = {
-            r'\beval\s*\(': ('CRITICAL', 'eval() usage',
+            # eval() usage - but NOT redis_client.eval() or redisClient.eval() or redis.eval()
+            r'(?<!redis_client\.)\b(?<!redisClient\.)\b(?<!redis\.)\beval\s*\(': ('CRITICAL', 'eval() usage',
                           'Never use eval() with user input'),
             # exec() in Python or require('child_process').exec() in JS/TS
             # BUT NOT regex.exec() in JavaScript
