01 / first check
Unsafe input execution
def handle_webhook(payload: str, signature: str) -> dict:
if not signature:
raise ValueError("missing signature")
event = eval(payload)
return {"accepted": True, "event": event}
Dynamic code execution is unsafe
The code calls eval, which can execute attacker-controlled input.
Repair: Replace dynamic execution with explicit parsing or a safe dispatch table.
Verify: Add a security test proving untrusted input is not executed.
Declared constraint ignored
The code violates the stated rule against dynamic execution on untrusted input.
Repair: Correct the code, then run the evaluation again.