The eval() call could be made safer by setting globals and locals to only those symbols that are useful in the context it's used. https://docs.python.org/2/library/functions.html#eval and http://lybniz2.sourceforge.net/safeeval.html -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1367022 Title: Un-sanitized eval may have security impact Status in OpenStack Telemetry (Ceilometer): New Status in OpenStack Security Advisories: Won't Fix Bug description: On this line: https://github.com/openstack/ceilometer/blob/master/ceilometer/transformer/conversions.py#L62 eval is used for some transformation. The comments near by suggest that it is used for a 'multiplicative factor or else a string to be eval'd'. If an attacker is able to provide an input like "__import__('os').system('rm -rf /etc')" the process will delete the etc directory with the privileges of the user that is running Ceilometer. Eval input should always be sanitized. I was unable to find any places that this is actually used, but this should definitely be hardened. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1367022/+subscriptions