Question about ast.literal_eval
Frank Millman
frank at chagford.com
Tue May 21 01:54:28 EDT 2013
On 21/05/2013 04:39, matt.newville at gmail.com wrote:
>
> You might find the asteval module (https://pypi.python.org/pypi/asteval) useful. It provides a relatively safe "eval", for example:
>
> >>> import asteval
> >>> a = asteval.Interpreter()
> >>> a.eval('x = "abc"')
> >>> a.eval('x in ("abc", "xyz")')
> True
> >>> a.eval('import os')
> NotImplementedError
> import os
> 'Import' not supported
> >>> a.eval('__import__("os")')
> NameError
> __import__("os")
> name '__import__' is not defined
>
> This works by maintaining an internal namespace (a flat dictionary), and walking the AST generated for the expression. It supports most Python syntax,
> including if, for, while, and try/except blocks, and function definitions, and with the notable exceptions of eval, exec, class, lambda, yield, and import. This requires Python2.6 and higher, and does work with Python3.3.
>
> Of course, it is not guaranteed to be completely safe, but it does disallow imports, which seems like the biggest vulnerability concern listed here. Currently, there is no explicit protection against long-running calculations for denial of service attacks. If you're exposing an SQL database to user-generated code, that may be worth considering.
Thanks for this, Matt. I will definitely look into it.
Frank
More information about the Python-list
mailing list