search

timvink / mkdocs-table-reader-plugin

MkDocs plugin that enables a markdown tag like {{ read_csv('table.csv') }} to directly insert various table formats into a page
https://timvink.github.io/mkdocs-table-reader-plugin/
MIT License
117 stars 20 forks source link

eval() is security issue #1

Closed petrmachcz closed 4 years ago

petrmachcz commented 4 years ago

Using eval() for evaluating untrusted string from markdown text is big security issue.

Use safe literal_eval() for evaluating string literal.

https://docs.python.org/3/library/ast.html#ast.literal_eval

timvink commented 4 years ago

Hi, thanks @petrmachcz for the heads-up & the guidance.

Works fine locally on mac, but unit tests fail for ubuntu. Will look into it tomorrow.

timvink commented 4 years ago

literal_eval() has some limitations, like:

# works
eval("pd.util.testing.makeDataFrame().head(3)")
# doesn't work
ast.literal_eval("pd.util.testing.makeDataFrame().head(3)")

and

literal_eval("\r\t") #fails

I wrote a new module safe_eval to get around those limitations.

I just released v.0.2 to include this and some other improvements, see the release notes.

Cheers!