knitli · bashandbone · Jun 1, 2026 · sourcery-ai · Jun 1, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -4,3 +4,8 @@
 **Vulnerability:** Found an unused `_attempt_import` function in `src/codeweaver/server/mcp/server.py` that dynamically imports a module directly from unvalidated configuration (`import_module(mw.rsplit(".", 1)[0])`), leading to potential arbitrary code execution.
 **Learning:** Functions that perform dynamic imports should not be left around in the codebase if they are unused, especially if they are designed to take unvalidated strings as input.
 **Prevention:** Avoid dynamic imports based on configuration or inputs without strict whitelisting. Use tools like `semgrep` with python security rules to actively catch these patterns.
+
+## 2025-02-25 - Arbitrary code execution in AST eval
+**Vulnerability:** Found a lack of whitelisting for `ast.Call` nodes in type annotation resolution logic within `TypeValidator` (at `src/codeweaver/core/di/container.py`). This allowed any arbitrary function within the module's global namespace to be called during `eval()`, potentially leading to Arbitrary Code Execution (ACE).
+**Learning:** Permitting generic `ast.Call` nodes inside restricted Abstract Syntax Tree parsing environments drastically increases the attack surface, allowing escape from restricted evaluation constraints.
+**Prevention:** Strictly limit `ast.Call` nodes to specifically required functions (e.g., `Depends`, `depends`, `Field`, `PrivateAttr`, `Tag`, `Parameter`) when validating trees meant for dynamic type evaluation.
diff --git a/src/codeweaver/core/di/container.py b/src/codeweaver/core/di/container.py
@@ -84,7 +84,7 @@ def __init__(self) -> None:
         self._request_cache: dict[Any, Any] = {}  # Keys can be types or callables
         self._providers_loaded: bool = False  # Track if auto-discovery has run
 
-    def _safe_eval_type(self, type_str: str, globalns: dict[str, Any]) -> Any | None:
+    def _safe_eval_type(self, type_str: str, globalns: dict[str, Any]) -> Any | None: # noqa: C901
         """Safely evaluate a type string using AST validation.
 
         Parses the type string into an AST, validates that it contains only safe
@@ -136,6 +136,20 @@ def generic_visit(self, node: ast.AST) -> None:
                 if isinstance(node, ast.Attribute) and node.attr.startswith("__"):
                     raise TypeError(f"Forbidden dunder attribute: {node.attr}")
 
+                # Security: Restrict ast.Call nodes to known safe functions to prevent arbitrary code execution (ACE).
+                # Allowing arbitrary functions (like 'eval' or malicious callables) inside type annotations is dangerous.
+                if isinstance(node, ast.Call):
+                    if isinstance(node.func, ast.Name):
+                        func_name = node.func.id
+                    elif isinstance(node.func, ast.Attribute):
+                        func_name = node.func.attr
+                    else:
+                        raise TypeError(f"Forbidden call function node type: {type(node.func).__name__}")
+
+                    allowed_calls = {"Depends", "depends", "Field", "PrivateAttr", "Tag", "Parameter"}
+                    if func_name not in allowed_calls:
+                        raise TypeError(f"Forbidden function call in type string: {func_name}")
+
                 super().generic_visit(node)
 
         try: