From 7c90e20a2c2db0a1941df16fcbfeac3bd7a35b96 Mon Sep 17 00:00:00 2001 From: Sergey B Kirpichev Date: Fri, 19 Dec 2025 07:09:11 +0300 Subject: [PATCH] gh-141778: add missing validation in ast.literal_eval() for non-string input This also changes parsing of the private `__text_signature__` attribute by inspect.signature(). Now we accept here only types, valid for ast.Constant(). --- Lib/ast.py | 13 +++++++++++-- Lib/inspect.py | 3 ++- Lib/test/test_ast/test_ast.py | 4 ++++ Lib/test/test_inspect/test_inspect.py | 4 +++- .../2025-12-19-07-09-02.gh-issue-141778.VdSWcy.rst | 2 ++ 5 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2025-12-19-07-09-02.gh-issue-141778.VdSWcy.rst diff --git a/Lib/ast.py b/Lib/ast.py index d9743ba7ab40b1..4badca2eabc76c 100644 --- a/Lib/ast.py +++ b/Lib/ast.py @@ -59,17 +59,26 @@ def literal_eval(node_or_string): """ if isinstance(node_or_string, str): node_or_string = parse(node_or_string.lstrip(" \t"), mode='eval').body + return _convert_literal(node_or_string, True) elif isinstance(node_or_string, Expression): node_or_string = node_or_string.body return _convert_literal(node_or_string) -def _convert_literal(node): +_type_None = type(None) +_type_Ellipsis = type(...) + + +def _convert_literal(node, omit_validation=False): """ Used by `literal_eval` to convert an AST node into a value. """ if isinstance(node, Constant): - return node.value + if omit_validation: + return node.value + if type(value := node.value) in (str, bytes, int, float, complex, + bool, _type_None, _type_Ellipsis): + return value if isinstance(node, Dict) and len(node.keys) == len(node.values): return dict(zip( map(_convert_literal, node.keys), diff --git a/Lib/inspect.py b/Lib/inspect.py index 07c4e28f0d9952..93c05a12c07bb5 100644 --- a/Lib/inspect.py +++ b/Lib/inspect.py @@ -2216,7 +2216,8 @@ def wrap_value(s): except NameError: raise ValueError - if isinstance(value, (str, int, float, bytes, bool, type(None))): + if type(value) in (str, int, float, bytes, bool, complex, + type(None), type(...)): return ast.Constant(value) raise ValueError diff --git a/Lib/test/test_ast/test_ast.py b/Lib/test/test_ast/test_ast.py index d2b76b46dbe2eb..7bbdfc63eb424c 100644 --- a/Lib/test/test_ast/test_ast.py +++ b/Lib/test/test_ast/test_ast.py @@ -1890,6 +1890,10 @@ def test_literal_eval(self): self.assertRaises(ValueError, ast.literal_eval, '++6') self.assertRaises(ValueError, ast.literal_eval, '+True') self.assertRaises(ValueError, ast.literal_eval, '2+3') + # gh-141778: reject values of invalid types + node = ast.Expression(body=ast.Constant(object())) + ast.fix_missing_locations(node) + self.assertRaises(ValueError, ast.literal_eval, node) def test_literal_eval_str_int_limit(self): with support.adjust_int_max_str_digits(4000): diff --git a/Lib/test/test_inspect/test_inspect.py b/Lib/test/test_inspect/test_inspect.py index 075e1802bebc3e..97ee587b74d5cb 100644 --- a/Lib/test/test_inspect/test_inspect.py +++ b/Lib/test/test_inspect/test_inspect.py @@ -6286,7 +6286,9 @@ def test_threading_module_has_signatures(self): def test_thread_module_has_signatures(self): import _thread no_signature = {'RLock'} - self._test_module_has_signatures(_thread, no_signature) + unsupported_signature = {'interrupt_main'} + self._test_module_has_signatures(_thread, no_signature, + unsupported_signature) def test_time_module_has_signatures(self): no_signature = { diff --git a/Misc/NEWS.d/next/Library/2025-12-19-07-09-02.gh-issue-141778.VdSWcy.rst b/Misc/NEWS.d/next/Library/2025-12-19-07-09-02.gh-issue-141778.VdSWcy.rst new file mode 100644 index 00000000000000..77257f65619a06 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2025-12-19-07-09-02.gh-issue-141778.VdSWcy.rst @@ -0,0 +1,2 @@ +Validate value types of :class:`ast.Constant` nodes in the +:func:`ast.literal_eval`. Patch by Sergey B Kirpichev.