[BUG-SEC-2] eval() code execution in Python checksum tools — fstr() allows arbitrary Python execution

[minguyen9988]

Summary

The fstr() function in both clickhouse_table_checksum.py and mysql_table_checksum.py uses eval() to process f-string templates, allowing arbitrary Python code execution if a malicious partition expression is provided.

Affected Code

Files:

• sink-connector/python/db_compare/clickhouse_table_checksum.py
• sink-connector/python/db_compare/mysql_table_checksum.py
• sink-connector/python/db_compare/mysql_table_count.py

def fstr(template, partition_expression):
    return eval(f"f'{template}'")

This function:

1. Takes a template string containing {partition_expression} placeholders
2. Wraps it in an f-string: f"f'{template}'"
3. Passes it to eval(), which executes arbitrary Python code

Attack Vector

If partition_expression or template contains Python code, it will be executed:

# Example: partition_expression = "__import__('os').system('rm -rf /')"
# The eval() call will execute the system command
fstr("WHERE dt >= {partition_expression}", "__import__('os').system('whoami')")

The partition_expression value comes from command-line arguments or YAML config files, which may be controlled by users in shared environments.

Fix

Replace eval() with safe string substitution:

def fstr(template, partition_expression):
    if partition_expression is not None:
        return template.replace('{partition_expression}', str(partition_expression))
    return template

This achieves the same template substitution behavior without executing arbitrary code.

Impact

• Severity: CRITICAL (Remote Code Execution — CWE-95)
• Type: Code Injection via eval()
• Affected versions: All versions with the Python db_compare tools