python-kwargs-setattr-security

Installation

SKILL.md

Problem Pattern

Using hasattr(obj, k) / setattr(obj, k, v) with user-controlled kwargs is insecure. The hasattr check is NOT a security guard — it returns True for ALL exposed properties including dangerous ones.

# INSECURE — do not use
for k, v in kwargs.items():
    if hasattr(options, k):
        setattr(options, k, v)

Fix: Explicit Allowlist

Define a module-level frozenset of safe attribute names. Raise RuntimeError for known-but-blocked attrs; silently ignore unknown keys.

Installs

Repository

microsoft/onnxruntime

GitHub Stars

20.5K

First Seen

May 15, 2026

Security Audits

Gen Agent Trust HubPass

SocketPass

SnykPass

python-kwargs-setattr-security — microsoft/onnxruntime