knitli · bashandbone · Jun 10, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -4,3 +4,8 @@
 **Vulnerability:** Found an unused `_attempt_import` function in `src/codeweaver/server/mcp/server.py` that dynamically imports a module directly from unvalidated configuration (`import_module(mw.rsplit(".", 1)[0])`), leading to potential arbitrary code execution.
 **Learning:** Functions that perform dynamic imports should not be left around in the codebase if they are unused, especially if they are designed to take unvalidated strings as input.
 **Prevention:** Avoid dynamic imports based on configuration or inputs without strict whitelisting. Use tools like `semgrep` with python security rules to actively catch these patterns.
+
+## 2026-04-22 - Arbitrary Code Execution (ACE) via unvalidated ast.Call nodes
+**Vulnerability:** Found that the AST validation for safe type evaluation `_safe_eval_type` in `src/codeweaver/core/di/container.py` allowed generic `ast.Call` nodes. This permitted the evaluation of arbitrary function calls within type hint strings, leading to a critical Arbitrary Code Execution (ACE) vulnerability.
+**Learning:** Permitting generic `ast.Call` nodes during AST-based validation for dynamic evaluation bypasses the intended safety restrictions, as any callable in the global namespace can be executed.
+**Prevention:** `ast.Call` nodes must be strictly evaluated and whitelisted to only allow specific, required functions (e.g., `Depends`, `depends`, `Field`, `PrivateAttr`, `Tag`, `Parameter`) using custom visitor methods like `visit_Call`.
diff --git a/src/codeweaver/core/di/container.py b/src/codeweaver/core/di/container.py
@@ -84,7 +84,7 @@ def __init__(self) -> None:
         self._request_cache: dict[Any, Any] = {}  # Keys can be types or callables
         self._providers_loaded: bool = False  # Track if auto-discovery has run
 
-    def _safe_eval_type(self, type_str: str, globalns: dict[str, Any]) -> Any | None:
+    def _safe_eval_type(self, type_str: str, globalns: dict[str, Any]) -> Any | None:  # noqa: C901
         """Safely evaluate a type string using AST validation.
 
         Parses the type string into an AST, validates that it contains only safe
@@ -138,6 +138,22 @@ def generic_visit(self, node: ast.AST) -> None:
 
                 super().generic_visit(node)
 
+            def visit_Call(self, node: ast.Call) -> None:
+                # Security constraint: Limit allowed function calls to prevent arbitrary code execution (ACE).
+                # Only whitelisted functions are permitted to be evaluated inside type hints.
+                allowed_funcs = {"Depends", "depends", "Field", "PrivateAttr", "Tag", "Parameter"}
+
+                if isinstance(node.func, ast.Name):
+                    if node.func.id not in allowed_funcs:
+                        raise TypeError(f"Forbidden function call: {node.func.id}")
+                elif isinstance(node.func, ast.Attribute):
+                    if node.func.attr not in allowed_funcs:
+                        raise TypeError(f"Forbidden function call attribute: {node.func.attr}")
+                else:
+                    raise TypeError(f"Forbidden function call type: {type(node.func).__name__}")
+
+                self.generic_visit(node)
+
         try:
             TypeValidator().visit(tree)
         except TypeError: