From 1fe763ab39e4ea47f99fd6cb301091de83951582 Mon Sep 17 00:00:00 2001
From: Karl Knechtel <zahlman@proton.me>
Date: Mon, 11 Nov 2024 02:04:16 -0500
Subject: [PATCH] Avoid unnecessary use of eval (insecure)

The appropriate way to convert a hexadecimal string to integer is by using the built-in functionality of `int`. The `eval` function is insecure; if the input could possibly come from outside the program, no matter how indirectly, this creates a risk of an arbitrary code execution exploit. It's also much less efficient.
---
 src/PyMca5/PyMcaGui/plotting/MaskScatterWidget.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/PyMca5/PyMcaGui/plotting/MaskScatterWidget.py b/src/PyMca5/PyMcaGui/plotting/MaskScatterWidget.py
index 8419a32e3..98f638eb9 100644
--- a/src/PyMca5/PyMcaGui/plotting/MaskScatterWidget.py
+++ b/src/PyMca5/PyMcaGui/plotting/MaskScatterWidget.py
@@ -84,9 +84,9 @@ def __init__(self, parent=None, backend=None, plugins=False, newplot=False,
         self._selectionColors = numpy.zeros((len(self.colorList), 4), numpy.uint8)
         self._alphaLevel = None
         for i in range(len(self.colorList)):
-            self._selectionColors[i, 0] = eval("0x" + self.colorList[i][-2:])
-            self._selectionColors[i, 1] = eval("0x" + self.colorList[i][3:-2])
-            self._selectionColors[i, 2] = eval("0x" + self.colorList[i][1:3])
+            self._selectionColors[i, 0] = int(self.colorList[i][-2:], 16)
+            self._selectionColors[i, 1] = int(self.colorList[i][3:-2], 16)
+            self._selectionColors[i, 2] = int(self.colorList[i][1:3], 16)
             self._selectionColors[i, 3] = 0xff
         self._maxNRois = maxNRois
         self._nRoi = 1