> FWIW I found another place where a similar thing is done, though by chance it's probably not exploitable - see GH-22575.
I agree that test_ucn is not exploitable, but it would be nice to harden it anyway.
Extract of the code:
self.assertEqual(unicodedata.lookup(seqname), codepoints)
with self.assertRaises(SyntaxError):
self.checkletter(seqname, None)
test_ucn downloads http://www.pythontest.net/unicode/13.0.0/NamedSequences.txt and calls checkletter() on each line, but first it ensures that unicodedata.lookup(seqname) works as expected.
I don't see how it would be possible to inject arbitrary Python code in the 'seqname' variable without making unicodedata.lookup() to fail.