Code Smell 245 — Exec() and Eval()by@mcsee
114 reads

Code Smell 245 — Exec() and Eval()

by Maximiliano ContieriApril 4th, 2024
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Don't use metaprogramming. It is not that cool.
featured image - Code Smell 245 — Exec() and Eval()
Maximiliano Contieri HackerNoon profile picture

A great door for hackers

TL;DR: Don't use metaprogramming. It is not that cool


  • Security
  • Limited Control


  1. Use direct calls
  2. Wrap the execution in a primitive and controlled command
  3. Sanitize it


Developers employ the eval() and exec() functions to evaluate arbitrary expressions from strings.

They can be a powerful tool in certain contexts but come with several risks and problems, especially when used with untrusted input or where the code's behavior is not fully controlled or understood.

Sample Code


def calculate(mathOperand, firstArgument, secondArgument):
    return eval(f'{firstArgument} {mathOperand} {secondArgument}')

# Sample usage to multiply two numbers
result = calculate('*', 4, 6)

# Injection to remove all files
calculate('', "__import__('os').system('rm -rf *')",''))


def calculate(mathOperand, firstArgument, secondArgument):
    if mathOperand == '+':
        return firstArgument + secondArgument
    elif mathOperand == '-':
        return firstArgument - secondArgument
    elif mathOperand == '*':
        return firstArgument * secondArgument
    elif mathOperand == '/':
        if secondArgument != 0:
            return firstArgument / secondArgument
            return "Error: Division by zero"
        return "Error: Invalid operation - Do not hack!"
# This is a quick solution but another smell
# You should avoid this kind of switches and iterate to 
# a Polymorphic Hierarchy


  • Automatic

You can search for eval() in the code


  • Metaprogramming


  • Intermediate

AI Assistants

Most AI Assistants avoid using eval() in their solutions.

They also recognize it as a code smell and offer different options


Avoid this metaprogramming solution by hardcoding all the possible scenarios and avoiding over-generalizations.


Code Smell 207 - Dynamic Methods

Code Smell 189 - Not Sanitized Input

Code Smell 215 - Deserializing Object Vulnerability

More Info


Code Smells are my opinion.


Photo by Yang on Unsplash

When you actually sit down to write some code, you learn things that you didn’t get from thinking about them in modeling terms…there is a feedback process there that you can only really get at from executing some things and seeing what works.

Martin Fowler

This article is part of the CodeSmell Series.