security-guidance plugin: eval_injection rule falsely flags ast.literal_eval()
Describe the bug
The eval_injection rule in the security-guidance plugin (plugins/security-guidance/hooks/security_reminder_hook.py) uses substring matching for "eval(" which catches ast.literal_eval() — a safe Python stdlib function that only parses literal values (strings, numbers, tuples, lists, dicts, booleans, None). It does NOT execute arbitrary code.
This causes legitimate uses of ast.literal_eval() to be blocked during Edit/Write/MultiEdit operations with:
⚠️ Security Warning: eval() executes arbitrary code and is a major security risk.
Consider using JSON.parse() for data parsing or alternative design patterns that
don't require code evaluation. Only use eval() if you truly need to evaluate
arbitrary code.
Steps to reproduce
- Install
security-guidance@claude-plugins-official - Attempt to edit a
.pyfile containingast.literal_eval() - The hook blocks the edit
Expected behavior
ast.literal_eval() should not be flagged. It's a well-known safe alternative to eval() specifically designed for parsing Python literals without code execution.
Suggested fix
Add an exclude_substrings field to the pattern schema so specific safe patterns can be whitelisted. For the eval_injection rule:
{
"ruleName": "eval_injection",
"substrings": ["eval("],
"exclude_substrings": ["ast.literal_eval"],
"reminder": "..."
}
And update check_patterns to check exclusions before returning a match:
if substring in content:
excluded = False
for exclude_sub in pattern.get("exclude_substrings", []):
if exclude_sub in content:
excluded = True
break
if not excluded:
return pattern["ruleName"], pattern["reminder"]
This is backward-compatible (patterns without exclude_substrings work as before) and extensible to other false-positive cases.
Related
- Issue #46720 reports the same class of substring-matching false positive for
exec(in docs/markdown files. Anexclude_substringsmechanism would also help there (e.g. exclude markdown code blocks from triggering the hook).
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗