Skip to content

fix(math): restrict sympy expression parsing#200

Merged
Rahul Dass (rahuldass19) merged 8 commits into
QWED-AI:mainfrom
sebastiondev:fix/cwe95-main-sympy-9383
Jun 14, 2026
Merged

fix(math): restrict sympy expression parsing#200
Rahul Dass (rahuldass19) merged 8 commits into
QWED-AI:mainfrom
sebastiondev:fix/cwe95-main-sympy-9383

fix: restrict sympy parse_expr to prevent code execution (CWE-95)

dc9d4db
Select commit
Loading
Failed to load commit list.
QWED Security / QWED Security failed Jun 8, 2026 in 14s

QWED Security — FAILURE

QWED Security Verification Report

11 files scanned | 1 blocked | 23 warnings | 12 info | 3 verified

Engines: pattern_scan, python_ast, secret_scan, shell_safety, policy_config

Blocked Findings

File Line Context Issue
tests/test_api_exceptions.py L11 TEST_CODE Hardcoded credential-like material detected.

Advisory Warnings

File Line Context Issue
src/qwed_new/core/safe_parser.py L40 RUNTIME_CODE compile() can be part of dynamic code generation.
tests/test_api_exceptions.py L44 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L45 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L46 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L64 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L65 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L66 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L83 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L84 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L85 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L99 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L100 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L101 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L118 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L119 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L120 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L138 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L139 TEST_CODE assert should not be the only input-validation boundary.
tests/test_api_exceptions.py L140 TEST_CODE assert should not be the only input-validation boundary.
scripts/debug_sqlglot.py L1 RUNTIME_CODE Test or debug file 'scripts/debug_sqlglot.py' is present in Docker build context.
... ... ... ...and 3 more

Informational Findings

File Line Context Issue
src/qwed_new/api/main.py L402 LITERAL_STRING os.system() shell execution primitive detected.
src/qwed_new/core/safe_parser.py L4 LITERAL_STRING Dangerous eval() call can execute untrusted code.
src/qwed_new/core/safe_parser.py L43 COMMENT Dangerous exec() call can execute untrusted code.
src/qwed_new/core/safe_parser.py L44 COMMENT Dangerous eval() call can execute untrusted code.
src/qwed_new/core/safe_parser.py L50 COMMENT compile() can be part of dynamic code generation.
tests/security/test_safe_parser.py L18 LITERAL_STRING Dynamic import() call should be reviewed.
tests/security/test_safe_parser.py L19 LITERAL_STRING Dynamic import() call should be reviewed.
tests/security/test_safe_parser.py L20 LITERAL_STRING Dynamic import() call should be reviewed.
tests/security/test_safe_parser.py L21 LITERAL_STRING Dangerous exec() call can execute untrusted code.
tests/security/test_safe_parser.py L28 LITERAL_STRING compile() can be part of dynamic code generation.
tests/security/test_safe_parser.py L30 LITERAL_STRING os.system() shell execution primitive detected.
tests/security/test_safe_parser.py L37 LITERAL_STRING subprocess invocation detected.

Verified Files

  • src/qwed_new/core/batch.py
  • src/qwed_new/core/validator.py
  • src/qwed_new/core/verifier.py

Verified by QWED — deterministic security verification. No LLM used.

Details

Scan completed in 14.1s. Engines: pattern_scan, python_ast, secret_scan, shell_safety, policy_config.

Annotations

Check notice on line 402 in src/qwed_new/api/main.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

os.system() shell execution primitive detected. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check notice on line 4 in src/qwed_new/core/safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

Dangerous eval() call can execute untrusted code. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check warning on line 40 in src/qwed_new/core/safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

compile() can be part of dynamic code generation. Context=RUNTIME_CODE. Decision reason: Executable runtime path contains a risky but non-blocking pattern.

Check notice on line 43 in src/qwed_new/core/safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

Dangerous exec() call can execute untrusted code. Context=COMMENT. Decision reason: Pattern detected in a non-executable context.

Check notice on line 44 in src/qwed_new/core/safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

Dangerous eval() call can execute untrusted code. Context=COMMENT. Decision reason: Pattern detected in a non-executable context.

Check notice on line 50 in src/qwed_new/core/safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

compile() can be part of dynamic code generation. Context=COMMENT. Decision reason: Pattern detected in a non-executable context.

Check notice on line 18 in tests/security/test_safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

Dynamic __import__() call should be reviewed. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check notice on line 19 in tests/security/test_safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

Dynamic __import__() call should be reviewed. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check notice on line 20 in tests/security/test_safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

Dynamic __import__() call should be reviewed. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check notice on line 21 in tests/security/test_safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

Dangerous exec() call can execute untrusted code. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check notice on line 28 in tests/security/test_safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

compile() can be part of dynamic code generation. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check notice on line 30 in tests/security/test_safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

os.system() shell execution primitive detected. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check notice on line 37 in tests/security/test_safe_parser.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

subprocess invocation detected. Context=LITERAL_STRING. Decision reason: Pattern detected in a non-executable context.

Check failure on line 11 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

Hardcoded credential-like material detected. Context=TEST_CODE. Decision reason: Pattern remains enforceable even in test code.

Check warning on line 44 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 45 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 46 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 64 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 65 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 66 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 83 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 84 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 85 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 99 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.

Check warning on line 100 in tests/test_api_exceptions.py

See this annotation in the file changed.

@qwed-security qwed-security / QWED Security

QWED: pattern_scan

assert should not be the only input-validation boundary. Context=TEST_CODE. Decision reason: Pattern detected in test code; surfaced as advisory instead of blocking runtime execution.