From e33fe054e47755cc9df77e3048d9493a3a202b08 Mon Sep 17 00:00:00 2001 From: tuanaiseo Date: Thu, 7 May 2026 06:02:31 +0700 Subject: [PATCH] fix(security): unsafe use of exec() in version parsing The _get_sonnet_version() function in setup.py uses exec() to parse the __version__ from sonnet/__init__.py. While currently reading from a controlled file, this pattern is dangerous as it could execute arbitrary code if the file is tampered with or if the function is repurposed to read user-controlled input. Affected files: setup.py Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com> --- setup.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/setup.py b/setup.py index e1e3ddd1..efdaf3fa 100644 --- a/setup.py +++ b/setup.py @@ -1,17 +1,18 @@ """Setup for pip package.""" +import re + from setuptools import find_namespace_packages from setuptools import setup def _get_sonnet_version(): with open('sonnet/__init__.py') as fp: - for line in fp: - if line.startswith('__version__'): - g = {} - exec(line, g) # pylint: disable=exec-used - return g['__version__'] - raise ValueError('`__version__` not defined in `sonnet/__init__.py`') + content = fp.read() + match = re.search(r"__version__\s*=\s*['\"]([^'\"]+)['\"]", content) + if match: + return match.group(1) + raise ValueError('`__version__` not defined in `sonnet/__init__.py`') def _parse_requirements(requirements_txt_path):