From aa6fabb41f0d2916fc14552485fbcc91ff5527c1 Mon Sep 17 00:00:00 2001
From: Janick Martinez Esturo <janickm@nvidia.com>
Date: Fri, 15 May 2026 10:53:40 +0200
Subject: [PATCH] fix(components): replace eval() with ast.literal_eval() for
 safe metadata parsing

---
 ncore/impl/data/v4/components.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ncore/impl/data/v4/components.py b/ncore/impl/data/v4/components.py
index 97d6c66b..f5e3b3d3 100644
--- a/ncore/impl/data/v4/components.py
+++ b/ncore/impl/data/v4/components.py
@@ -15,6 +15,7 @@
 
 from __future__ import annotations
 
+import ast
 import concurrent.futures
 import io
 import json
@@ -833,7 +834,7 @@ def get_static_poses(self) -> Generator[Tuple[Tuple[str, str], npt.NDArray[np.fl
             """Returns all static poses (rigid transformations) between named coordinate frames, if available"""
 
             for key, static_pose in self._group["static_poses"].attrs.items():
-                yield eval(key), np.array(static_pose["pose"], dtype=static_pose["dtype"])
+                yield ast.literal_eval(key), np.array(static_pose["pose"], dtype=static_pose["dtype"])
 
         def get_dynamic_poses(
             self,
@@ -842,7 +843,7 @@ def get_dynamic_poses(
 
             for key, dynamic_poses in self._group["dynamic_poses"].attrs.items():
                 yield (
-                    eval(key),
+                    ast.literal_eval(key),
                     (
                         np.array(dynamic_poses["poses"], dtype=dynamic_poses["dtype"]),
                         np.array(dynamic_poses["timestamps_us"], dtype=np.uint64),