DOC: Document Remote Code Execution risk for Dataframe.query and computation.eval (pandas-dev#58697)

r0rshark · web-flow · commit b5b2d380b5ff · 2024-05-22T17:00:45.000-04:00
diff --git a/pandas/core/computation/eval.py b/pandas/core/computation/eval.py
@@ -193,6 +193,8 @@ def eval(
     corresponding bitwise operators.  :class:`~pandas.Series` and
     :class:`~pandas.DataFrame` objects are supported and behave as they would
     with plain ol' Python evaluation.
+    `eval` can run arbitrary code which can make you vulnerable to code
+    injection if you pass user input to this function.
 
     Parameters
     ----------
diff --git a/pandas/core/frame.py b/pandas/core/frame.py
@@ -4472,6 +4472,9 @@ def query(self, expr: str, *, inplace: bool = False, **kwargs) -> DataFrame | No
         """
         Query the columns of a DataFrame with a boolean expression.
 
+        This method can run arbitrary code which can make you vulnerable to code
+        injection if you pass user input to this function.
+
         Parameters
         ----------
         expr : str
