Qiskit / qiskit / 15171633158 / 1
88%
main: 88%

DEFAULT BRANCH: main
Ran
Files 811
Run time 24s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 88.315% (+0.004%) from 88.311%
15171633158.1

push

github

web-flow 
Avoid using string parsing for ParameterExpression.sympify() (#14391)

* Avoid using string parsing for ParameterExpression.sympify()

In the recently merged #13278 the implementation for the sympify
method for ParameterExpression was changed because we no longer rely on
symengine internally. Previously we would just return the inner
symengine object used to represent the symbolic expression. Without
symengine available #13278 updated the implementation of the method to
generate a string representation of the expression and pass that to
sympify which has a "parser" for converting that expression string to a
sympy object. However, sympify() method is insecure as it internally
relies on Python's eval() to parse the string and can't be used for
untrusted input. While this doesn't have the same exact exposure as
in https://github.com/Qiskit/qiskit/security/advisories/GHSA-6m2c-76ff-6vrf
because you have to opt-in to using this function with input that is
untrusted and the degrees of freedom are less because it has to go
through the rust symbolic expression it is still a potential
vulnerability waiting to happen. This commit reworks the sympify
implementation to avoid using sympy's parser and instead just builds
the sympy expression from the internal state directly.

* Remove unused Rust functions that support sympy string generation

* Add test coverage for all of parameter expression

* Add .sign() to the megaexpression

78468 of 88850 relevant lines covered (88.32%)

467453.75 hits per line

Source Files on job 15171633158.1