Safe Parsing of Strings in Python with ast.literal_eval

In Python development, converting external string data into safe Python objects is a common requirement; while the built‑in eval function is powerful, it poses security risks, making ast.literal_eval the preferred safe alternative.

Overview of ast.literal_eval – Located in the standard ast module, this function parses a string and safely returns Python literal structures such as lists, dictionaries, numbers, strings, and booleans without executing any code, thereby mitigating the risk of malicious code execution.

Why choose ast.literal_eval

Security: only literal expressions are allowed, eliminating code execution.

Flexibility: supports many Python literal types for complex data structures.

Broad applicability: ideal for handling configuration files, user input, and other external data sources.

Basic usage

Example 1 – Parse a string into a list:

import ast
s = "[1, 2, 3]"
result = ast.literal_eval(s)
print(result)  # 输出：[1, 2, 3]

Example 2 – Parse a string into a dictionary:

d = "{1: 'a', 2: 'b'}"
parsed_dict = ast.literal_eval(d)
print(parsed_dict)  # 输出：{1: 'a', 2: 'b'}

Advanced applications

Example 3 – Safely process a configuration file:

with open('config.txt', 'r') as file:
    content = file.read()
settings = {}
for line in content.split('\n'):
    if '=' in line:
        key, value = line.split('=', 1)
        settings[key.strip()] = ast.literal_eval(value.strip())
print(settings)  # 输出：{'max_users': 100, 'debug_mode': False}

Example 4 – Parse nested structures:

nested_str = "[{'name': 'Alice', 'scores': [85, 90]}, {'name': 'Bob', 'scores': [78, 92]}]"
data = ast.literal_eval(nested_str)
print(data)  # 输出：[{ 'name': 'Alice', 'scores': [85, 90] }, { 'name': 'Bob', 'scores': [78, 92] }]

Special scenario handling

Example 5 – Boolean and None values:

bool_str = "True"
none_str = "None"
print(ast.literal_eval(bool_str))  # 输出：True
print(ast.literal_eval(none_str))  # 输出：None

Example 6 – Numeric literals:

number_str = "3.14"
print(ast.literal_eval(number_str))  # 输出：3.14

Error handling and security tips

Example 7 – Exception capture for malformed input:

try:
    invalid_str = "{unbalanced_brackets"
    ast.literal_eval(invalid_str)
except ValueError as e:
    print("Invalid input:", e)

Example 8 – Avoiding potential security pitfalls: even though ast.literal_eval is relatively safe, always validate and sanitize untrusted input before processing.

Conclusion

ast.literal_eval provides Python developers with a reliable and secure tool for converting external string data into native data structures, offering rich parsing capabilities while minimizing security risks; combined with proper error handling and input validation, it enables robust and efficient data processing in projects.