{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 傲 的问题《How to safely use exec() in Python?》','https://www.manongdao.com/q-1343040.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have been tasked with building an application where an end user can have custom rules to evaluate whether a returned query results in a warning or alert (based on there own thresholds).
I've built a way for the user to template their logic. An example looks like this:
if (abs(<<21>>) >= abs(<<22>>)):
retVal = <<21>>
else:
retVal = <<22>>
The <<21>> and <<22>> parameters will be substituted with values found earlier in the program. Once all this substitution occurs I have a very simple if/else block (in this example) that looks like this stored in a variable (execCd):
if (abs(22.0) >= abs(-162.0)):
retVal = 22.0
else:
retVal = -162.0
This will exec() correctly. Now, how can I secure this? I've looked at this article: http://lybniz2.sourceforge.net/safeeval.html
My code ends up looking like this:
safe_list = ['math','acos', 'asin', 'atan', 'atan2', 'ceil', 'cos', 'cosh', 'de grees', 'e', 'exp', 'fabs', 'floor', 'fmod', 'frexp', 'hypot', 'ldexp', 'log', 'log10', 'modf', 'pi', 'pow', 'radians', 'sin', 'sinh', 'sqrt', 'tan', 'tanh']
safe_dict = dict([ (k, locals().get(k, None)) for k in safe_list ])
safe_dict['abs'] = abs
exec(execCd,{"__builtins__":None},safe_dict)
However, the exec fails when I have the second and third parameter with this exception - NameError: name 'retVal' is not defined
Some of the custom logic the end users have is extensive and much of this changes on a fairly regular basis. I don't want to maintain their custom logic and end users want to be able to test various warning/alert threshold logic quickly.
How can I secure this exec statement from unsafe (either intentional or unintentional) code?
Your
execstatement isn't adding retVal to your local environment, but to thesafe_dictdictionary. So you can get it back from there:The only safe way to use
evalorexecis not to use them.You do not need to use exec. Instead of building a string to execute, parse it into objects, and use that to drive your code execution.
At its simplest, you can store functions in a dict, and use a string to select the function to call. If you're using python syntax, python provides all the utilities to parse itself, and you should use those.