security-guidance plugin: eval_injection rule falsely flags ast.literal_eval()

Resolved 💬 4 comments Opened May 1, 2026 by kakabanga Closed May 29, 2026

Describe the bug

The eval_injection rule in the security-guidance plugin (plugins/security-guidance/hooks/security_reminder_hook.py) uses substring matching for "eval(" which catches ast.literal_eval() — a safe Python stdlib function that only parses literal values (strings, numbers, tuples, lists, dicts, booleans, None). It does NOT execute arbitrary code.

This causes legitimate uses of ast.literal_eval() to be blocked during Edit/Write/MultiEdit operations with:

⚠️ Security Warning: eval() executes arbitrary code and is a major security risk.
Consider using JSON.parse() for data parsing or alternative design patterns that
don't require code evaluation. Only use eval() if you truly need to evaluate
arbitrary code.

Steps to reproduce

  1. Install security-guidance@claude-plugins-official
  2. Attempt to edit a .py file containing ast.literal_eval()
  3. The hook blocks the edit

Expected behavior

ast.literal_eval() should not be flagged. It's a well-known safe alternative to eval() specifically designed for parsing Python literals without code execution.

Suggested fix

Add an exclude_substrings field to the pattern schema so specific safe patterns can be whitelisted. For the eval_injection rule:

{
    "ruleName": "eval_injection",
    "substrings": ["eval("],
    "exclude_substrings": ["ast.literal_eval"],
    "reminder": "..."
}

And update check_patterns to check exclusions before returning a match:

if substring in content:
    excluded = False
    for exclude_sub in pattern.get("exclude_substrings", []):
        if exclude_sub in content:
            excluded = True
            break
    if not excluded:
        return pattern["ruleName"], pattern["reminder"]

This is backward-compatible (patterns without exclude_substrings work as before) and extensible to other false-positive cases.

Related

  • Issue #46720 reports the same class of substring-matching false positive for exec( in docs/markdown files. An exclude_substrings mechanism would also help there (e.g. exclude markdown code blocks from triggering the hook).

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗