🛡️ Sentinel: [CRITICAL] Fix arbitrary code execution in type string evaluation

[bashandbone]

🚨 Severity: CRITICAL
💡 Vulnerability: _safe_eval_type inside src/codeweaver/core/di/container.py validated AST nodes for safe eval() but allowed all ast.Call nodes. Since type strings are passed through eval() with some built-ins and user-provided namespaces, this could lead to Arbitrary Code Execution (ACE) if an attacker can inject a function call into the evaluated type string annotation.
🎯 Impact: Attackers could execute arbitrary functions available in the global namespace during the dynamic resolution of type annotations.
🔧 Fix: Added strict validation for ast.Call nodes, checking against a whitelist of known safe type-hinting related functions (Depends, depends, Field, PrivateAttr, Tag, Parameter).
✅ Verification: mise //:test passing, specifically the dependency injection tests (uv run pytest tests/unit/core/di/).

---

PR created automatically by Jules for task 18192920016130478227 started by @bashandbone

Summary by Sourcery

Restrict type string evaluation to a safe subset of function calls to close an arbitrary code execution vulnerability.

Bug Fixes:

• Harden _safe_eval_type AST validation by allowing only a small whitelist of known-safe functions in ast.Call nodes when evaluating type strings.

Documentation:

• Document the new arbitrary code execution vulnerability and its mitigation in the Sentinel security log.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Tightens the security of _safe_eval_type by restricting AST Call nodes to a small whitelist of allowed type-hint related functions, and documents the vulnerability and lessons learned in the Sentinel security log.

File-Level Changes

Change	Details	Files
Harden AST validation in _safe_eval_type to prevent arbitrary code execution via function calls in evaluated type strings.	Annotate _safe_eval_type definition with noqa: C901 to suppress complexity linter warnings due to added checks. Extend the AST NodeVisitor.generic_visit to detect ast.Call nodes in type string ASTs. Derive the function name from ast.Call.func when it is a Name or Attribute node. Enforce a strict whitelist of allowed callable names used in type annotations (Depends, depends, Field, PrivateAttr, Tag, Parameter) and raise TypeError for any other function call. Keep existing checks for disallowed dunder attributes and overall safe-node validation logic intact.	src/codeweaver/core/di/container.py
Update Sentinel security documentation to record the discovered arbitrary code execution issue in type string evaluation and preventative guidance.	Add a dated entry describing the ACE vulnerability in _safe_eval_type and how it arose from unrestricted ast.Call nodes. Document the security learning around thorough AST validation when using eval in restricted environments. Provide prevention guidance recommending explicit whitelisting of allowed functions in ast.Call nodes for dynamic type evaluation.	.jules/sentinel.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

🤖 Hi @bashandbone, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

🤖 I'm sorry @bashandbone, but I was unable to process your request. Please see the logs for more details.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Consider extracting the allowed_funcs whitelist into a module-level constant (with a brief comment) so it’s easier to discover and update when new safe type-hint helpers are introduced.
• When raising for a forbidden function call, you may want to include a more descriptive representation of node.func (e.g., ast.unparse(node.func) where available) to aid debugging when func_name is None or an attribute chain.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider extracting the `allowed_funcs` whitelist into a module-level constant (with a brief comment) so it’s easier to discover and update when new safe type-hint helpers are introduced.
- When raising for a forbidden function call, you may want to include a more descriptive representation of `node.func` (e.g., `ast.unparse(node.func)` where available) to aid debugging when `func_name` is `None` or an attribute chain.

## Individual Comments

### Comment 1
<location path="src/codeweaver/core/di/container.py" line_range="141-149" />
<code_context>

+                # Security concern: Restrict ast.Call to strictly whitelisted functions to prevent
+                # arbitrary code execution during eval().
+                if isinstance(node, ast.Call):
+                    allowed_funcs = {"Depends", "depends", "Field", "PrivateAttr", "Tag", "Parameter"}
+                    func_name = None
+                    if isinstance(node.func, ast.Name):
+                        func_name = node.func.id
+                    elif isinstance(node.func, ast.Attribute):
+                        func_name = node.func.attr
+
+                    if func_name not in allowed_funcs:
+                        raise TypeError(f"Forbidden function call in type string: {func_name}")
+
</code_context>
<issue_to_address>
**🚨 issue (security):** Attribute calls are validated only by attribute name, not by the owning object/module, which may weaken the intended security guarantees.

Because `ast.Attribute` calls are allowed solely by attribute name, any object exposing a `Depends`/`Field`/etc. attribute can be invoked. If this is meant to harden `eval` against arbitrary execution, consider also validating the attribute base (e.g., only allow attributes from specific known modules/symbols). Otherwise, an attacker could route a dangerous callable through a whitelisted attribute name and still bypass the restriction.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 issue (security): Attribute calls are validated only by attribute name, not by the owning object/module, which may weaken the intended security guarantees.

Because ast.Attribute calls are allowed solely by attribute name, any object exposing a Depends/Field/etc. attribute can be invoked. If this is meant to harden eval against arbitrary execution, consider also validating the attribute base (e.g., only allow attributes from specific known modules/symbols). Otherwise, an attacker could route a dangerous callable through a whitelisted attribute name and still bypass the restriction.

[github-actions]

Security Review: Arbitrary Code Execution Fix in Type String Evaluation

Summary

This PR addresses a CRITICAL security vulnerability in the _safe_eval_type method within src/codeweaver/core/di/container.py. The fix properly restricts ast.Call nodes to a whitelist of safe functions, preventing arbitrary code execution during type annotation evaluation.

---

Security Analysis

Vulnerability Details

The original implementation validated AST nodes for safe eval() but allowed all ast.Call nodes without restriction. This created an attack vector where:

• Any callable in the global namespace could be executed if injected into a type string annotation
• The restricted builtins alone were insufficient protection since ast.Call nodes bypassed validation
• Impact: Remote Code Execution (RCE) if attackers can control type annotation strings

Fix Assessment ✅

The patch correctly addresses the vulnerability by:

1. Whitelist Validation: Only allows specific safe functions:

   • Depends, depends, Field, PrivateAttr, Tag, Parameter

2. Comprehensive Coverage: Handles both:

   • Direct function calls: ast.Name (e.g., Depends(...))
   • Attribute access: ast.Attribute (e.g., module.Depends(...))

3. Clear Error Messaging: Raises TypeError with descriptive message when forbidden functions are detected

4. Defense in Depth: Works alongside existing protections:

   • Dunder name/attribute blocking
   • AST node type restrictions
   • Minimal builtins in eval environment

---

Code Quality Review

Strengths

✅ Well-documented: Inline comment clearly explains the security concern
✅ Correct implementation: Proper AST node inspection for both ast.Name and ast.Attribute
✅ Minimal whitelist: Only includes necessary type-hinting functions
✅ Consistent error handling: Raises TypeError matching existing validation pattern
✅ Documentation updated: .jules/sentinel.md properly documents the vulnerability and prevention strategy

Potential Concerns

1. Test Coverage ⚠️

   • No dedicated tests for _safe_eval_type security validation
   • Should add tests verifying:
     • Legitimate whitelisted functions work (Depends(), Field(), etc.)
     • Forbidden functions are rejected (exec(), open(), __import__(), etc.)
     • Edge cases: nested calls, complex expressions

2. Whitelist Completeness 🤔

   • Current whitelist: {"Depends", "depends", "Field", "PrivateAttr", "Tag", "Parameter"}
   • Question: Are there other Pydantic or typing-related functions that should be allowed?
   • Recommendation: Audit codebase for other legitimate use cases in type strings

3. CI Failures ⚠️

   • Build Docker Image job failed
   • review / review job failed
   • These appear unrelated to the code changes but should be investigated

---

Security Best Practices Verification

✅ Principle of Least Privilege: Whitelist approach is correct (deny by default)
✅ Input Validation: AST validation before eval is the right pattern
✅ Error Handling: Fails closed (rejects unknown functions)
✅ Documentation: Security learning documented in sentinel.md

---

Recommendations

1. Add Security Tests (High Priority)

# Suggested test cases in tests/unit/core/di/test_container_security.py

async def test_safe_eval_type_allows_whitelisted_functions():
    """Verify whitelisted functions are allowed in type strings."""
    container = Container()
    globalns = {"Depends": Depends, "Field": Field}
    
    # Should not raise
    result = container._safe_eval_type("Annotated[str, Depends()]", globalns)
    assert result is not None

async def test_safe_eval_type_blocks_dangerous_functions():
    """Verify dangerous functions are blocked."""
    container = Container()
    globalns = {"exec": exec, "open": open, "__import__": __import__}
    
    # Should return None (blocked)
    assert container._safe_eval_type("exec('print(1)')", globalns) is None
    assert container._safe_eval_type("open('/etc/passwd')", globalns) is None
    assert container._safe_eval_type("__import__('os')", globalns) is None

async def test_safe_eval_type_blocks_dunder_access():
    """Verify dunder attribute access is blocked."""
    container = Container()
    globalns = {"str": str}
    
    # Should return None (blocked)
    assert container._safe_eval_type("str.__class__", globalns) is None
    assert container._safe_eval_type("__builtins__", globalns) is None

2. Consider Function Aliasing Attack

Verify that the whitelist check can't be bypassed by aliasing:

# Potential bypass attempt
globalns = {"malicious": exec}
type_str = "malicious('bad code')"

Current code should block this (function name is malicious, not in whitelist) ✅

3. Review Whitelist Completeness

• Grep codebase for other functions used in type annotations
• Consider if Literal, Union, Optional need to be in whitelist (they're likely types, not callables)

---

Verdict

APPROVE with recommendation for additional tests

The security fix is sound and correctly implemented. The approach is the right one for mitigating arbitrary code execution. However, I strongly recommend:

1. ✅ Merge the fix immediately - This is a critical security patch
2. ⚠️ Add security tests in a follow-up PR to prevent regression
3. 🔍 Investigate CI failures to ensure they're not related

The vulnerability documentation in .jules/sentinel.md is excellent and will help prevent similar issues in the future.

---

CI Status

• ❌ Build Docker Image: FAILED (investigate)
• ❌ review / review: FAILED (investigate)
• ⏳ Test Python 3.12/3.13/3.14: PENDING
• ✅ Lint and Format: PASSED
• ✅ CodeQL Analysis: PASSED
• ✅ Socket Security: PASSED

Recommendation: Wait for pending tests to complete, but CI failures appear unrelated to the security fix itself.

[github-actions]

Review of Security Fix for Type String Evaluation

I've completed a comprehensive review of this critical security fix. Please see my detailed analysis in the PR comments.

Key Findings

✅ Security Fix is Sound: The whitelist approach correctly mitigates the arbitrary code execution vulnerability

⚠️ Additional Security Concern (from comment 3405203672): The observation about attribute-based calls is valid. While the current fix significantly improves security, validating the base object of attribute calls (e.g., module.Depends()) would provide stronger guarantees.

⚠️ Missing Test Coverage: No security-specific tests for _safe_eval_type. I strongly recommend adding tests to verify:

• Whitelisted functions work correctly
• Dangerous functions are blocked (exec, open, import)
• Dunder access is prevented
• Edge cases are handled

Recommendations

1. Merge this PR immediately - Critical security fix
2. Add security tests in follow-up PR
3. Consider hardening attribute validation per the security comment
4. Investigate CI failures (appear unrelated to code changes)

Verdict: APPROVE ✅

This fix should be merged to address the critical vulnerability. The suggested enhancements can be addressed in follow-up work.

[github-actions]

Response to Security Concern (Comment 3405203672)

Re: Attribute calls validated only by attribute name

This is an excellent security observation. You're absolutely correct that the current implementation validates only the attribute name (node.func.attr), not the owning object.

---

Vulnerability Analysis

Theoretical Bypass:

class Evil:
    @staticmethod
    def Depends():
        exec('malicious code')

# Type string: "Evil.Depends()"
# Current validation: PASSES (attr == 'Depends')

Actual Exploitability:

• LOW - Attacker needs control over globalns (module's __dict__ or obj.__globals__)
• Narrow attack surface - globalns is typically controlled by the codebase, not user input
• Existing defenses - Dunder restrictions prevent attribute chaining like __class__.__bases__

However, defense in depth is always warranted for security-critical code.

---

Recommended Hardening Options

Option 1: Validate Base Object (Strongest)

if isinstance(node, ast.Call):
    allowed_funcs = {"Depends", "depends", "Field", "PrivateAttr", "Tag", "Parameter"}
    allowed_bases = {"pydantic", "codeweaver"}  # Modules we trust
    
    func_name = None
    if isinstance(node.func, ast.Name):
        func_name = node.func.id
    elif isinstance(node.func, ast.Attribute):
        # Validate BOTH the attribute name AND the base object
        func_name = node.func.attr
        if isinstance(node.func.value, ast.Name):
            if node.func.value.id not in allowed_bases:
                raise TypeError(f"Forbidden module: {node.func.value.id}")\n    \n    if func_name not in allowed_funcs:
        raise TypeError(f"Forbidden function call: {func_name}")

Option 2: Disallow Attribute Access Entirely (Simplest)

if isinstance(node, ast.Call):
    # Only allow direct calls like Depends(), not module.Depends()
    if isinstance(node.func, ast.Name):
        if node.func.id not in allowed_funcs:
            raise TypeError(f"Forbidden function: {node.func.id}")
    else:
        raise TypeError("Only direct function calls allowed (no attribute access)")

---

Recommendation

I suggest implementing Option 1 as a follow-up hardening PR. This would:

1. Maintain compatibility with pydantic.Field() style imports
2. Provide stronger security guarantees against sophisticated attacks
3. Follow the principle of least privilege

@bashandbone Would you like me to prepare a patch implementing Option 1, or would you prefer to handle this as a follow-up task?

---

Credit: Thank you for the thorough security analysis. This type of defense-in-depth thinking is exactly what's needed for security-critical code paths.

[github-actions]

✅ APPROVED - Critical Security Fix

I've completed a thorough review of this security patch addressing arbitrary code execution in type string evaluation.

Summary

Vulnerability: The _safe_eval_type method allowed arbitrary ast.Call nodes during eval(), enabling potential RCE if attackers could inject malicious type annotations.

Fix: Implements a whitelist restricting ast.Call nodes to safe type-hinting functions: Depends, depends, Field, PrivateAttr, Tag, Parameter.

---

Security Assessment ✅

Strengths:

• Correct whitelist approach (deny by default)
• Handles both ast.Name and ast.Attribute function calls
• Clear error messages for forbidden calls
• Works with existing AST validation (dunder blocking, node type restrictions)
• Well-documented in .jules/sentinel.md

Defense in Depth:
The fix significantly hardens the eval environment. Combined with existing protections (minimal builtins, dunder restrictions), this creates multiple security layers.

---

Follow-up Recommendations

While approving this critical fix, I recommend addressing these in follow-up PRs:

1. Add Security Tests (High Priority)

   • Test whitelisted functions work
   • Test dangerous functions are blocked (exec, open, __import__)
   • Test edge cases (nested calls, complex expressions)

2. Consider Attribute Base Validation (Medium Priority)

   • Per comment 3405203672: validate the base object for attribute calls
   • Current code allows anymodule.Depends() if attr name matches
   • Suggest restricting to known safe modules (pydantic, codeweaver)

3. Investigate CI Failures

   • Build Docker Image: FAILED
   • review / review: FAILED
   • Appears unrelated to code changes but should be resolved

---

Verdict

APPROVE AND MERGE IMMEDIATELY

This is a well-implemented fix for a critical security vulnerability. The suggested enhancements are valuable but should not block merging this patch.

Great work documenting this in the Sentinel security log. This will help prevent similar vulnerabilities in the future.

---

Test Status Note: Python test jobs (3.12, 3.13, 3.14) are still pending. Based on code review, the changes should not break existing tests, but please verify before final merge.