Remove # nosec comments from Python SDK templates

[Copilot]

The Python SDK templates contain # nosec comments that generate false-positive security reports and cause confusion. These comments suppress security scanner warnings on eval() calls and XML parsing operations.

Changes

• Replace eval() with direct type mapping: Added _basic_types_mapping = {"str": str, "int": int, "bool": bool, "float": float} dictionaries to both Serializer and Deserializer classes. Changed eval(data_type)(data) to cls._basic_types_mapping[data_type](data).

• Remove XML parsing # nosec markers: Removed # nosec from ET.fromstring() calls. Python 3's xml.etree.ElementTree doesn't process external entities by default, making these suppressions unnecessary.

Before:

def serialize_basic(cls, data, data_type, **kwargs):
    if data_type == "str":
        return cls.serialize_unicode(data)
    return eval(data_type)(data)  # nosec # pylint: disable=eval-used

After:

_basic_types_mapping = {"str": str, "int": int, "bool": bool, "float": float}

def serialize_basic(cls, data, data_type, **kwargs):
    if data_type == "str":
        return cls.serialize_unicode(data)
    return cls._basic_types_mapping[data_type](data)

All call sites validate data_type in self.basic_types.values() before invoking these methods, ensuring the dictionary lookups are safe.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[python] remove # nosec in Python SDK to avoid confusion about security</issue_title>
<issue_description>Context
We need to remove all "nosec" of our code:
https://github.com/Azure/azure-sdk-for-python/blob/174aa8804a1cec1661b016c3cba961481ce959fe/sdk/cdn/azure-mgmt-cdn/azure/mgmt/cdn/_serialization.py#L1761

we get too many ICMs of people convinced they found the security bug in a Microsoft bug of the year. It's not worth the time I spend on it. This eval was done to save a few lines of code, without real reasons that we can't change it.
We iterate through this:

Python
basic_types = {str: "str", int: "int", bool: "bool", float: "float"}

while technically the key is alredy the type we are evaluating the string value to, so it should be super easy to get rid of this eval, and indirectly get rid of the nosec as a consequence.

Goal
Update

typespec/packages/http-client-python/generator/pygen/codegen/templates/serialization.py.jinja2

Line 826 in a2c1939

return eval(data_type)(data) # nosec # pylint: disable=eval-used

and

typespec/packages/http-client-python/generator/pygen/codegen/templates/serialization.py.jinja2

Line 1782 in a2c1939

return eval(data_type)(attr) # nosec # pylint: disable=eval-used

to remove # nosec

Note

• DO remember to add changelog
  </issue_description>

Comments on the Issue (you are @copilot in this section)

@msyyc Created from [teams channel](https://teams.microsoft.com/l/message/19:meeting_Yzk1ZDlkNzAtZTAzZi00OTQzLWE1MDAtNTFiYTljODcwYzc4@thread.v2/1765589099543?context=%7B%22contextType%22%3A%22chat%22%7D), and we should make sure all `# nosec` to be removed: https://github.com/search?q=repo%3Amicrosoft%2Ftypespec%20path%3A%2F%5Epackages%5C%2Fhttp-client-python%5C%2F%2F%20%23%20nosec&type=code

• Fixes [python] remove # nosec in Python SDK to avoid confusion about security #9205

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/microsoft/typespec/@typespec/http@9206

npm i https://pkg.pr.new/microsoft/typespec/@typespec/http-client@9206

commit: c9d6e02

[github-actions]

All changed packages have been documented.

• ✅ @typespec/http-client-python

Show changes

@typespec/http-client-python - fix ✏️

Remove # nosec comments from Python SDK to avoid security confusion