# Dangerous Function Usage

- ID: python-dangerous-functions
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: Python

## Description

Detects usage of dangerous Python functions that can lead to arbitrary code
execution: eval(), exec(), compile(), __import__() with user input, or
pickle deserialization. These should be avoided or heavily restricted.

## Remediation

Use ast.literal_eval() for safe literal evaluation, JSON for serialization, and subprocess with shell=False.

```python
import ast
import json
import subprocess

# Safe literal evaluation (numbers, strings, lists, dicts only)
result = ast.literal_eval(user_input)

# Safe serialization (use JSON instead of pickle)
data = json.loads(user_input)

# Safe subprocess (use argument list, not shell)
subprocess.run(['ping', '-c', '1', host], shell=False, timeout=30)
```

Learn more: https://shoulder.dev/learn/python/cwe-94/dangerous-functions

## Documentation

[object Object]

## Related Rules

- **Code Injection via os/exec** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Server-Side Template Injection** [CRITICAL]: 
- **Code Injection via eval() and Function constructor** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: