Skip to content

BUG: eval and query ignore empty local_dict and global_dict #47084

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 tasks done
Alex-Blade opened this issue May 21, 2022 · 0 comments · Fixed by #47085
Closed
3 tasks done

BUG: eval and query ignore empty local_dict and global_dict #47084

Alex-Blade opened this issue May 21, 2022 · 0 comments · Fixed by #47085
Labels
Bug expressions pd.eval, query
Milestone
1.4.3

Comments

@Alex-Blade
Copy link
Contributor

Pandas version checks

  • I have checked that this issue has not already been reported.

  • I have confirmed this bug exists on the latest version of pandas.

  • I have confirmed this bug exists on the main branch of pandas.

Reproducible Example

import pandas as pd
df = pd.DataFrame([[1,2], [1,2]], columns=["a", "b"])
df.eval("c = @df.a + @df.b", local_dict={}, global_dict={})

a b c
0 1 2 3
1 1 2 3

Issue Description

If someone was to pass empty dictionaries into local_dict and global_dict kwargs of pd.eval, df.eval or df.query, it would work as if None was passed instead (i.e. actual scope would be populated with current frame locals and globals). This is an unexpected behavior and a security concern.

The reason behind this is an incorrect check of argument None equality there and there. If user passes global_dict={}, the following happens: global_dict or frame.f_globals => {} or frame.f_globals => False or frame.f_globals => frame.f_globals and the same with local_dict later on.

Expected Behavior

import pandas as pd
df = pd.DataFrame([[1,2], [1,2]], columns=["a", "b"])
df.eval("c = @df.a + @df.b", local_dict={}, global_dict={})
UndefinedVariableError: Undefined variable 'df'

Or a similar error

Installed Versions

INSTALLED VERSIONS

commit : 1be9d38
python : 3.9.7.final.0
python-bits : 64
OS : Linux
OS-release : 5.17.5-76051705-generic
Version : #202204271406165150484021.10~63e51bd SMP PREEMPT Mon May 2 15:
machine : x86_64
processor : x86_64
byteorder : little
LC_ALL : None
LANG : en_US.UTF-8
LOCALE : en_US.UTF-8

pandas : 1.5.0.dev0+798.g1be9d3868f
numpy : 1.21.3
pytz : 2021.1
dateutil : 2.8.2
pip : 20.3.4
setuptools : 52.0.0
Cython : 0.29.30
pytest : 6.2.5
hypothesis : 6.46.7
sphinx : 4.5.0
blosc : 1.10.6
feather : None
xlsxwriter : 3.0.3
lxml.etree : 4.6.3
html5lib : 1.1
pymysql : None
psycopg2 : None
jinja2 : 3.1.1
IPython : 7.33.0
pandas_datareader: None
bs4 : 4.9.3
bottleneck : 1.3.4
brotli : None
fastparquet : 0.7.2
fsspec : 2022.5.0
gcsfs : 2022.5.0
matplotlib : 3.4.3
numba : 0.53.1
numexpr : 2.8.1
odfpy : None
openpyxl : 3.0.10
pandas_gbq : None
pyarrow : 7.0.0
pyreadstat : 1.1.6
pyxlsb : None
s3fs : 0.6.0
scipy : 1.7.3
snappy :
sqlalchemy : 1.4.36
tables : 3.7.0
tabulate : 0.8.9
xarray : 2022.3.0
xlrd : 2.0.1
xlwt : 1.3.0
zstandard : None
@Alex-Blade Alex-Blade added Bug Needs Triage Issue that has not been reviewed by a pandas team member labels May 21, 2022
@Alex-Blade Alex-Blade mentioned this issue May 21, 2022
Merged
3 tasks
@jreback jreback added this to the 1.5 milestone May 21, 2022
@jreback jreback added expressions pd.eval, query and removed Needs Triage Issue that has not been reviewed by a pandas team member labels May 21, 2022
@simonjayhawkins simonjayhawkins modified the milestones: 1.5, 1.4.3 May 30, 2022
jreback pushed a commit that referenced this issue Jun 5, 2022
@Alex-Blade
BUG: Eval scopes ignoring empty dictionaries (#47084) (#47085)
5246d13
meeseeksmachine pushed a commit to meeseeksmachine/pandas that referenced this issue Jun 5, 2022
@Alex-Blade @meeseeksmachine
Backport PR pandas-dev#47085: BUG: Eval scopes ignoring empty diction…
cd56069 
…aries (pandas-dev#47084)
@meeseeksmachine meeseeksmachine mentioned this issue Jun 5, 2022
Merged
simonjayhawkins pushed a commit that referenced this issue Jun 6, 2022
@meeseeksmachine @Alex-Blade
Backport PR #47085 on branch 1.4.x (BUG: Eval scopes ignoring empty d…
34259fb 
…ictionaries (#47084)) (#47250)

Backport PR #47085: BUG: Eval scopes ignoring empty dictionaries (#47084)

Co-authored-by: Alex-Blade <[email protected]>
yehoshuadimarsky pushed a commit to yehoshuadimarsky/pandas that referenced this issue Jul 13, 2022
@Alex-Blade @yehoshuadimarsky
BUG: Eval scopes ignoring empty dictionaries (pandas-dev#47084) (pand…
a0775e2 
…as-dev#47085)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug expressions pd.eval, query
Projects
None yet
Milestone
1.4.3
Development

Successfully merging a pull request may close this issue.

BUG: Eval scopes ignoring empty dictionaries (#47084) Alex-Blade/pandas
3 participants
@jreback @simonjayhawkins @Alex-Blade