evalidate

2.1.4 verified Fri May 01 auth: no python

Evalidate is a Python library for validation and secure evaluation of untrusted Python expressions. Version 2.1.4 is current, with active development on GitHub. It provides an expression evaluator that restricts available nodes (e.g., no imports, no function calls unless whitelisted) to safely evaluate user-provided expressions.

pip install evalidate

Common errors

error AttributeError: module 'evalidate' has no attribute 'security' ↓

cause The old API evalidate.security was removed in version 2.0.0.

fix

Use evalidate.Eval with whitelist/blacklist instead of evalidate.security.

error evalidate.exceptions.SecurityError: Node type 'Call' is blacklisted ↓

cause The expression contains a function call, which is blacklisted by default.

fix

If you need to allow specific function calls, use a custom whitelist: Eval(whitelist=['Call', ...]) and provide allowed functions via global context.

Warnings

gotcha evalidate does NOT block all unsafe expressions by default. For example, attribute access on objects is allowed (e.g., 'obj.__class__') unless explicitly restricted. Always configure a whitelist/blacklist for production use. ↓

fix Use evalidate.Eval with explicit node whitelist: Eval(whitelist=['Expression', 'Num', 'Str', 'Name', 'Load', 'BinOp', ...])

breaking In version 2.1.0, the signature of Eval.eval() changed to accept both local and global context parameters. Code written for older versions using only one context may break. ↓

fix Update calls to Eval.eval(expr, ctx) to Eval.eval(expr, global_ctx=ctx) or Eval.eval(expr, local_ctx=ctx, global_ctx=ctx) as needed.

gotcha The default whitelist includes Is and IsNot nodes (since v2.1.3). This can be surprising if you expected strict equality only. ↓

fix Remove 'Is' and 'IsNot' from the whitelist if you want to disallow identity comparisons.

Imports

evalidate
```
import evalidate
```
Direct import of the module is the standard approach.

Quickstart

Basic usage: evaluate a safe expression with the default restrictions.

import evalidate

# Safe expression evaluation
result = evalidate.eval('1 + 2')
print(result)  # 3

# Unsafe expression raises
# evalidate.eval('__import__("os")')  # Raises SecurityError