Summary
homogenize_parameters.py executes eval() on YAML-sourced breakdown metadata.
Severity
High
Impact
A malicious or compromised parameter package can execute arbitrary Python during parameter homogenization.
Affected code
policyengine_core/parameters/operations/homogenize_parameters.py:57-75
Details
When first_breakdown is neither a list nor a known variable, the code falls back to:
possible_values = list(eval(first_breakdown))
That input originates from parameter metadata.
Expected behavior
Breakdown metadata should be treated as data, not executable code.
Suggested remediation
- Remove
eval() entirely
- Support only explicit lists or known enum/bool-backed variables
- If string parsing is needed, use a strict parser with an allowlist grammar
- Add a regression test proving arbitrary expressions are rejected
Summary
homogenize_parameters.pyexecuteseval()on YAML-sourcedbreakdownmetadata.Severity
High
Impact
A malicious or compromised parameter package can execute arbitrary Python during parameter homogenization.
Affected code
policyengine_core/parameters/operations/homogenize_parameters.py:57-75Details
When
first_breakdownis neither a list nor a known variable, the code falls back to:That input originates from parameter metadata.
Expected behavior
Breakdown metadata should be treated as data, not executable code.
Suggested remediation
eval()entirely