From b90f10efeb670a2cc877fb88ebb3f2019189e059 Mon Sep 17 00:00:00 2001
From: Adrin Jalali <adrin.jalali@gmail.com>
Date: Mon, 5 Sep 2022 15:15:04 +0200
Subject: [PATCH] FIX make sure pre_dispatch cannot do arbitrary code execution
 (#1321)

---
 joblib/parallel.py | 10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/joblib/parallel.py b/joblib/parallel.py
index f9c84548d..1c2fe18f7 100644
--- a/joblib/parallel.py
+++ b/joblib/parallel.py
@@ -504,7 +504,9 @@ class Parallel(Logger):
         pre_dispatch: {'all', integer, or expression, as in '3*n_jobs'}
             The number of batches (of tasks) to be pre-dispatched.
             Default is '2*n_jobs'. When batch_size="auto" this is reasonable
-            default and the workers should never starve.
+            default and the workers should never starve. Note that only basic
+            arithmetics are allowed here and no modules can be used in this
+            expression.
         batch_size: int or 'auto', default: 'auto'
             The number of atomic tasks to dispatch at once to each
             worker. When individual evaluations are very fast, dispatching
@@ -1049,7 +1051,11 @@ def _batched_calls_reducer_callback():
         else:
             self._original_iterator = iterator
             if hasattr(pre_dispatch, 'endswith'):
-                pre_dispatch = eval(pre_dispatch)
+                pre_dispatch = eval(
+                    pre_dispatch,
+                    {"n_jobs": n_jobs, "__builtins__": {}},  # globals
+                    {}  # locals
+                )
             self._pre_dispatch_amount = pre_dispatch = int(pre_dispatch)
 
             # The main thread will consume the first pre_dispatch items and