== How to fix it in Python Standard Library

=== Code examples

The following code is vulnerable to arbitrary code execution because it runs
dynamic Python code based on untrusted data.

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
from flask import request

@app.route("/")
def example():
    operation = request.args.get("operation")
    eval(f"product_{operation}()") # Noncompliant
    return "OK"
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
from flask import request

@app.route("/")
def example():
    allowed = ["add", "remove", "update"]
    operation = allowed[request.args.get("operationId")]
    eval(f"product_{operation}()")

    return "OK"
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/parameters.adoc[]

include::../../common/fix/allowlist.adoc[]

The example compliant code uses such a binding approach.