🛡️ Sentinel: [CRITICAL] Fix arbitrary code execution in AST eval

[bashandbone]

🚨 Severity: CRITICAL
💡 Vulnerability: The application was using eval() to dynamically resolve type annotations from strings. It validated the AST structure to only permit safe nodes. However, it blindly allowed generic ast.Call nodes. This created an Arbitrary Code Execution (ACE) vulnerability, because any valid callable existing in the globalns dictionary (or builtins) could be executed during evaluation if present in the type string.
🎯 Impact: An attacker who could control or inject a malicious type string could potentially execute arbitrary code on the host machine.
🔧 Fix: Implemented strict whitelisting within TypeValidator.generic_visit(). When an ast.Call node is encountered, the code now explicitly checks that the function being called is specifically one of the intended whitelisted functions (Depends, depends, Field, PrivateAttr, Tag, Parameter). If the function call does not match the whitelist, a TypeError is raised, preventing the evaluation.
✅ Verification: Verified by code review, unit tests (tests/unit/core/), and integration tests (tests/integration/providers/).

---

PR created automatically by Jules for task 17667289194909456202 started by @bashandbone

Summary by Sourcery

Harden type-string evaluation by restricting callable usage in AST-based validation and document the resolved arbitrary code execution vulnerability in Sentinel notes.

Bug Fixes:

• Prevent arbitrary code execution during type-string evaluation by rejecting non-whitelisted function calls in AST Call nodes.

Documentation:

• Extend Sentinel security notes with details of the AST eval arbitrary code execution vulnerability and its prevention.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Restricts the AST-based safe eval mechanism for type strings to only allow calls to a small, explicit whitelist of functions and documents the security issue and mitigation in the Sentinel security notes.

File-Level Changes

Change	Details	Files
Harden AST validation for type-string evaluation to prevent arbitrary code execution via ast.Call.	Mark _safe_eval_type as intentionally complex to appease the C901 linter without refactoring in this PR Extend TypeValidator.generic_visit to detect ast.Call nodes in the parsed type AST Derive the called function name from ast.Name or ast.Attribute nodes for call expressions Enforce a strict whitelist of allowed callable names in type-string calls (Depends, depends, Field, PrivateAttr, Tag, Parameter) and raise TypeError for anything else before eval is reached	src/codeweaver/core/di/container.py
Record the AST eval arbitrary code execution vulnerability and its mitigation in the Sentinel security log.	Add a dated Sentinel entry describing the ACE vulnerability stemming from permissive ast.Call handling in type evaluation Document the learning that ast.Call in type annotations must be strictly validated when combined with eval Describe whitelisting of specific allowed functions in ast.Call as the preventive measure	.jules/sentinel.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

🤖 Hi @bashandbone, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

🤖 I'm sorry @bashandbone, but I was unable to process your request. Please see the logs for more details.

[sourcery-ai]

Hey - I've left some high level feedback:

• The allowed_funcs set is hardcoded inside generic_visit; consider centralizing this whitelist as a module-level constant or shared configuration so it can be reused and updated consistently across the codebase.
• For ast.Attribute calls you currently only check node.func.attr, which ignores the full attribute path; if calls like some_module.Depends should be allowed or disallowed differently, you may want to validate the fully qualified name instead of just the final attribute.
• When func_name cannot be resolved (e.g., non-Name/Attribute callables), you raise a TypeError with func_name as None; consider emitting a more explicit error message in this case to make debugging rejected type strings clearer.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `allowed_funcs` set is hardcoded inside `generic_visit`; consider centralizing this whitelist as a module-level constant or shared configuration so it can be reused and updated consistently across the codebase.
- For `ast.Attribute` calls you currently only check `node.func.attr`, which ignores the full attribute path; if calls like `some_module.Depends` should be allowed or disallowed differently, you may want to validate the fully qualified name instead of just the final attribute.
- When `func_name` cannot be resolved (e.g., non-`Name`/`Attribute` callables), you raise a `TypeError` with `func_name` as `None`; consider emitting a more explicit error message in this case to make debugging rejected type strings clearer.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}