search

sugarlabs / chart

A graphing sugar activity
GNU General Public License v3.0
1 stars 7 forks source link

Accepts expressions as input #8

Closed sanjaymaniam closed 4 years ago

sanjaymaniam commented 4 years ago

PR following this issue.

quozl commented 4 years ago

Thanks.

Is there a way to not have it execute Python functions? I can type exit(0) to stop the program, or call any of the methods of the os module, e.g. os.system.

We might want to extend Chart some day to include collaboration, and this would let any fellow student execute any code. :grin:

sanjaymaniam commented 4 years ago

Hi, thanks for the reply :)

If we only want to support fractions and regular numbers, then I could split with the '/' for a string and divide it off. For evaluating an expression, I'm going to have to build a tree and process that. Is there a simpler way?

Also, I don't quite understand why we want to avoid built-in functions, aren't they supposed to be super reliable?

quozl commented 4 years ago

No, built-in functions aren't super reliable, they are built on source code written by humans, and have specific goals and non-goals. Built-in functions are just like any other function, except they are built-in and you don't have to write them.

The trouble is in leaving open a gap into which an attacker can reach beyond where they ought to.

Some built-in functions can be destructive.

Let's imagine you and I are sharing the Chart activity; you are entering data, the data is being evaluated and displayed on both computers. Leaving open an opportunity for you to execute any Python code on my computer would be (a) unwise for both of us, (b) not industry standard security.

Documentation for eval does provide an alternative that works on literals only. Thus;

>>> import ast
>>> ast.literal_eval('9')
9
>>> ast.literal_eval('9+4')
13
>>> ast.literal_eval('9+4+exit(0)')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/ast.py", line 85, in literal_eval
    return _convert(node_or_string)
  File "/usr/lib/python3.6/ast.py", line 78, in _convert
    right = _convert(node.right)
  File "/usr/lib/python3.6/ast.py", line 84, in _convert
    raise ValueError('malformed node or string: ' + repr(node))
ValueError: malformed node or string: <_ast.Call object at 0x7f52c088f6a0>
>>> █

The ast module is built-in.

sanjaymaniam commented 4 years ago

Thanks for the neat explanation @quozl.

Apparently asl.literal_eval() is confined to addition and subtraction, so I took that workaround.

Let me know if there's anything you'd want me to fix :)

quozl commented 4 years ago

Thanks. Reviewed. Tested.