Skip to content

BUG: eval and query ignore empty local_dict and global_dict #47084

New issue
New issue
Closed
#47085
Closed
BUG: eval and query ignore empty local_dict and global_dict#47084
#47085
Labels
Bugexpressionspd.eval, query
Milestone
 
1.4.3
@Alex-Blade

Description

@Alex-Blade
Alex-Blade
opened on May 21, 2022

Pandas version checks

  • I have checked that this issue has not already been reported.

  • I have confirmed this bug exists on the latest version of pandas.

  • I have confirmed this bug exists on the main branch of pandas.

Reproducible Example

import pandas as pd
df = pd.DataFrame([[1,2], [1,2]], columns=["a", "b"])
df.eval("c = @df.a + @df.b", local_dict={}, global_dict={})

a b c
0 1 2 3
1 1 2 3

Issue Description

If someone was to pass empty dictionaries into local_dict and global_dict kwargs of pd.eval, df.eval or df.query, it would work as if None was passed instead (i.e. actual scope would be populated with current frame locals and globals). This is an unexpected behavior and a security concern.

The reason behind this is an incorrect check of argument None equality there and there. If user passes global_dict={}, the following happens: global_dict or frame.f_globals => {} or frame.f_globals => False or frame.f_globals => frame.f_globals and the same with local_dict later on.

Expected Behavior

import pandas as pd
df = pd.DataFrame([[1,2], [1,2]], columns=["a", "b"])
df.eval("c = @df.a + @df.b", local_dict={}, global_dict={})
UndefinedVariableError: Undefined variable 'df'

Or a similar error

Installed Versions

INSTALLED VERSIONS

commit : 1be9d38
python : 3.9.7.final.0
python-bits : 64
OS : Linux
OS-release : 5.17.5-76051705-generic
Version : #202204271406165150484021.10~63e51bd SMP PREEMPT Mon May 2 15:
machine : x86_64
processor : x86_64
byteorder : little
LC_ALL : None
LANG : en_US.UTF-8
LOCALE : en_US.UTF-8

pandas : 1.5.0.dev0+798.g1be9d3868f
numpy : 1.21.3
pytz : 2021.1
dateutil : 2.8.2
pip : 20.3.4
setuptools : 52.0.0
Cython : 0.29.30
pytest : 6.2.5
hypothesis : 6.46.7
sphinx : 4.5.0
blosc : 1.10.6
feather : None
xlsxwriter : 3.0.3
lxml.etree : 4.6.3
html5lib : 1.1
pymysql : None
psycopg2 : None
jinja2 : 3.1.1
IPython : 7.33.0
pandas_datareader: None
bs4 : 4.9.3
bottleneck : 1.3.4
brotli : None
fastparquet : 0.7.2
fsspec : 2022.5.0
gcsfs : 2022.5.0
matplotlib : 3.4.3
numba : 0.53.1
numexpr : 2.8.1
odfpy : None
openpyxl : 3.0.10
pandas_gbq : None
pyarrow : 7.0.0
pyreadstat : 1.1.6
pyxlsb : None
s3fs : 0.6.0
scipy : 1.7.3
snappy :
sqlalchemy : 1.4.36
tables : 3.7.0
tabulate : 0.8.9
xarray : 2022.3.0
xlrd : 2.0.1
xlwt : 1.3.0
zstandard : None

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugexpressionspd.eval, query

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions