Closed sanjaymaniam closed 4 years ago
Thanks.
Is there a way to not have it execute Python functions? I can type exit(0) to stop the program, or call any of the methods of the os
module, e.g. os.system
.
We might want to extend Chart some day to include collaboration, and this would let any fellow student execute any code. :grin:
Hi, thanks for the reply :)
If we only want to support fractions and regular numbers, then I could split with the '/' for a string and divide it off. For evaluating an expression, I'm going to have to build a tree and process that. Is there a simpler way?
Also, I don't quite understand why we want to avoid built-in functions, aren't they supposed to be super reliable?
No, built-in functions aren't super reliable, they are built on source code written by humans, and have specific goals and non-goals. Built-in functions are just like any other function, except they are built-in and you don't have to write them.
The trouble is in leaving open a gap into which an attacker can reach beyond where they ought to.
Some built-in functions can be destructive.
Let's imagine you and I are sharing the Chart activity; you are entering data, the data is being evaluated and displayed on both computers. Leaving open an opportunity for you to execute any Python code on my computer would be (a) unwise for both of us, (b) not industry standard security.
Documentation for eval does provide an alternative that works on literals only. Thus;
>>> import ast
>>> ast.literal_eval('9')
9
>>> ast.literal_eval('9+4')
13
>>> ast.literal_eval('9+4+exit(0)')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.6/ast.py", line 85, in literal_eval
return _convert(node_or_string)
File "/usr/lib/python3.6/ast.py", line 78, in _convert
right = _convert(node.right)
File "/usr/lib/python3.6/ast.py", line 84, in _convert
raise ValueError('malformed node or string: ' + repr(node))
ValueError: malformed node or string: <_ast.Call object at 0x7f52c088f6a0>
>>> █
The ast module is built-in.
Thanks for the neat explanation @quozl.
Apparently asl.literal_eval()
is confined to addition and subtraction, so I took that workaround.
Let me know if there's anything you'd want me to fix :)
Thanks. Reviewed. Tested.
PR following this issue.