I’m currently addressing the Pandas DataFrame.query() Code Injection vulnerability, which allows arbitrary code execution if unsafe user input is processed by the .query() method. I understand this issue arises because the query() method can execute expressions within the context of the DataFrame, potentially leading to security risks.
My questions are as follows:
- Should I manually patch the vulnerability?
For example, I can override the query() method in the Pandas source code to validate expressions using Python’s ast module and block unsafe constructs. Is this a recommended approach, or does it pose potential risks (e.g., breaking functionality, maintaining the patch long-term)?
- How frequently does the Pandas team release updates or patches for vulnerabilities like this?
Should I wait for an official update to address this issue? Are there any best practices for monitoring when a fix becomes available?
- What is the general practice for addressing such library-level vulnerabilities in production environments?
Is it better to apply temporary mitigations (like validating input in my application code) and wait for the library maintainers, or should I fork/patch the library for immediate resolution?
Any insights, especially from those with experience in maintaining secure Python applications, would be greatly appreciated!
4
If you have a fix, here’s information about contributing to pandas.
If you don’t want to contribute, the best way would be to validate input in application code
to avoid breaking functionality
and maintaining the patch long-term
.