fix(math): restrict sympy expression parsing#200
QWED Security — FAILURE
QWED Security Verification Report
11 files scanned | 1 blocked | 23 warnings | 12 info | 3 verified
Engines: pattern_scan, python_ast, secret_scan, shell_safety, policy_config
Blocked Findings
| File | Line | Context | Issue |
|---|---|---|---|
tests/test_api_exceptions.py |
L11 | TEST_CODE |
Hardcoded credential-like material detected. |
Advisory Warnings
| File | Line | Context | Issue |
|---|---|---|---|
src/qwed_new/core/safe_parser.py |
L40 | RUNTIME_CODE |
compile() can be part of dynamic code generation. |
tests/test_api_exceptions.py |
L44 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L45 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L46 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L64 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L65 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L66 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L83 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L84 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L85 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L99 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L100 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L101 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L118 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L119 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L120 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L138 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L139 | TEST_CODE |
assert should not be the only input-validation boundary. |
tests/test_api_exceptions.py |
L140 | TEST_CODE |
assert should not be the only input-validation boundary. |
scripts/debug_sqlglot.py |
L1 | RUNTIME_CODE |
Test or debug file 'scripts/debug_sqlglot.py' is present in Docker build context. |
| ... | ... | ... | ...and 3 more |
Informational Findings
| File | Line | Context | Issue |
|---|---|---|---|
src/qwed_new/api/main.py |
L402 | LITERAL_STRING |
os.system() shell execution primitive detected. |
src/qwed_new/core/safe_parser.py |
L4 | LITERAL_STRING |
Dangerous eval() call can execute untrusted code. |
src/qwed_new/core/safe_parser.py |
L43 | COMMENT |
Dangerous exec() call can execute untrusted code. |
src/qwed_new/core/safe_parser.py |
L44 | COMMENT |
Dangerous eval() call can execute untrusted code. |
src/qwed_new/core/safe_parser.py |
L50 | COMMENT |
compile() can be part of dynamic code generation. |
tests/security/test_safe_parser.py |
L18 | LITERAL_STRING |
Dynamic import() call should be reviewed. |
tests/security/test_safe_parser.py |
L19 | LITERAL_STRING |
Dynamic import() call should be reviewed. |
tests/security/test_safe_parser.py |
L20 | LITERAL_STRING |
Dynamic import() call should be reviewed. |
tests/security/test_safe_parser.py |
L21 | LITERAL_STRING |
Dangerous exec() call can execute untrusted code. |
tests/security/test_safe_parser.py |
L28 | LITERAL_STRING |
compile() can be part of dynamic code generation. |
tests/security/test_safe_parser.py |
L30 | LITERAL_STRING |
os.system() shell execution primitive detected. |
tests/security/test_safe_parser.py |
L37 | LITERAL_STRING |
subprocess invocation detected. |
Verified Files
src/qwed_new/core/batch.pysrc/qwed_new/core/validator.pysrc/qwed_new/core/verifier.py
Verified by QWED — deterministic security verification. No LLM used.
Details
Scan completed in 14.1s. Engines: pattern_scan, python_ast, secret_scan, shell_safety, policy_config.
Annotations
Check notice on line 402 in src/qwed_new/api/main.py
qwed-security / QWED Security
QWED: pattern_scan
os.system() shell execution primitive detected. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check notice on line 4 in src/qwed_new/core/safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
Dangerous eval() call can execute untrusted code. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check warning on line 40 in src/qwed_new/core/safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
compile() can be part of dynamic code generation. Context=RUNTIME_CODE. Decision reason: Executable runtime path contains a risky but non-blocking pattern.
Check notice on line 43 in src/qwed_new/core/safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
Dangerous exec() call can execute untrusted code. Context=COMMENT. Decision reason: Pattern detected in a non-executable context.
Check notice on line 44 in src/qwed_new/core/safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
Dangerous eval() call can execute untrusted code. Context=COMMENT. Decision reason: Pattern detected in a non-executable context.
Check notice on line 50 in src/qwed_new/core/safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
compile() can be part of dynamic code generation. Context=COMMENT. Decision reason: Pattern detected in a non-executable context.
Check notice on line 18 in tests/security/test_safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
Dynamic __import__() call should be reviewed. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check notice on line 19 in tests/security/test_safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
Dynamic __import__() call should be reviewed. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check notice on line 20 in tests/security/test_safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
Dynamic __import__() call should be reviewed. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check notice on line 21 in tests/security/test_safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
Dangerous exec() call can execute untrusted code. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check notice on line 28 in tests/security/test_safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
compile() can be part of dynamic code generation. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check notice on line 30 in tests/security/test_safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
os.system() shell execution primitive detected. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check notice on line 37 in tests/security/test_safe_parser.py
qwed-security / QWED Security
QWED: pattern_scan
subprocess invocation detected. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.
Check failure on line 11 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
Hardcoded credential-like material detected. Context=TEST_CODE. Decision reason: Pattern remains enforceable even in test code.
Check warning on line 44 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 45 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 46 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 64 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 65 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 66 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 83 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 84 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 85 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 99 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.
Check warning on line 100 in tests/test_api_exceptions.py
qwed-security / QWED Security
QWED: pattern_scan
assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.