Qiskit / qiskit / 15171633158

88%

Build Type

push

github

Committed by web-flow

Commit Message

Avoid using string parsing for ParameterExpression.sympify() (#14391)

* Avoid using string parsing for ParameterExpression.sympify()

In the recently merged #13278 the implementation for the sympify
method for ParameterExpression was changed because we no longer rely on
symengine internally. Previously we would just return the inner
symengine object used to represent the symbolic expression. Without
symengine available #13278 updated the implementation of the method to
generate a string representation of the expression and pass that to
sympify which has a "parser" for converting that expression string to a
sympy object. However, sympify() method is insecure as it internally
relies on Python's eval() to parse the string and can't be used for
untrusted input. While this doesn't have the same exact exposure as
in https://github.com/Qiskit/qiskit/security/advisories/GHSA-6m2c-76ff-6vrf
because you have to opt-in to using this function with input that is
untrusted and the degrees of freedom are less because it has to go
through the rust symbolic expression it is still a potential
vulnerability waiting to happen. This commit reworks the sympify
implementation to avoid using sympy's parser and instead just builds
the sympy expression from the internal state directly.

* Remove unused Rust functions that support sympy string generation

* Add test coverage for all of parameter expression

* Add .sign() to the megaexpression

Run Details

47 of 47 new or added lines in 2 files covered. (100.0%)

8 existing lines in 3 files now uncovered.

78468 of 88850 relevant lines covered (88.32%)

467453.75 hits per line