BUG: eval and query ignore empty local_dict and global_dict · Issue #47084 · pandas-dev/pandas (original) (raw)
Pandas version checks
- I have checked that this issue has not already been reported.
- I have confirmed this bug exists on the latest version of pandas.
- I have confirmed this bug exists on the main branch of pandas.
Reproducible Example
import pandas as pd df = pd.DataFrame([[1,2], [1,2]], columns=["a", "b"]) df.eval("c = @df.a + @df.b", local_dict={}, global_dict={})
a b c
0 1 2 3
1 1 2 3
Issue Description
If someone was to pass empty dictionaries into local_dict and global_dict kwargs of pd.eval, df.eval or df.query, it would work as if None was passed instead (i.e. actual scope would be populated with current frame locals and globals). This is an unexpected behavior and a security concern.
The reason behind this is an incorrect check of argument None equality there and there. If user passes global_dict={}, the following happens: global_dict or frame.f_globals => {} or frame.f_globals => False or frame.f_globals => frame.f_globals and the same with local_dict later on.
Expected Behavior
import pandas as pd df = pd.DataFrame([[1,2], [1,2]], columns=["a", "b"]) df.eval("c = @df.a + @df.b", local_dict={}, global_dict={})
UndefinedVariableError: Undefined variable 'df'
Or a similar error
Installed Versions
INSTALLED VERSIONS
commit : 1be9d38
python : 3.9.7.final.0
python-bits : 64
OS : Linux
OS-release : 5.17.5-76051705-generic
Version : #202204271406165150484021.10~63e51bd SMP PREEMPT Mon May 2 15:
machine : x86_64
processor : x86_64
byteorder : little
LC_ALL : None
LANG : en_US.UTF-8
LOCALE : en_US.UTF-8
pandas : 1.5.0.dev0+798.g1be9d3868f
numpy : 1.21.3
pytz : 2021.1
dateutil : 2.8.2
pip : 20.3.4
setuptools : 52.0.0
Cython : 0.29.30
pytest : 6.2.5
hypothesis : 6.46.7
sphinx : 4.5.0
blosc : 1.10.6
feather : None
xlsxwriter : 3.0.3
lxml.etree : 4.6.3
html5lib : 1.1
pymysql : None
psycopg2 : None
jinja2 : 3.1.1
IPython : 7.33.0
pandas_datareader: None
bs4 : 4.9.3
bottleneck : 1.3.4
brotli : None
fastparquet : 0.7.2
fsspec : 2022.5.0
gcsfs : 2022.5.0
matplotlib : 3.4.3
numba : 0.53.1
numexpr : 2.8.1
odfpy : None
openpyxl : 3.0.10
pandas_gbq : None
pyarrow : 7.0.0
pyreadstat : 1.1.6
pyxlsb : None
s3fs : 0.6.0
scipy : 1.7.3
snappy :
sqlalchemy : 1.4.36
tables : 3.7.0
tabulate : 0.8.9
xarray : 2022.3.0
xlrd : 2.0.1
xlwt : 1.3.0
zstandard : None