Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > Safely eval code from text file--suggestions?

Reply
Thread Tools

Safely eval code from text file--suggestions?

 
 
JS Bangs
Guest
Posts: n/a
 
      09-01-2003
All,

I've got a module that will read an XML file that has code as the
contents of some elements. I'd like to be able to capture this code as a
code reference and pass that code reference to a function, without risking
any internals. The following code works, but doesn't seem foolproof:

# %code, $self, and $parse defined elsewhere
if (exists $code{$_}) {
my $c;
my $code = '$c = sub {' . $parse->{$_} . '}';

# Prevent $code from modifying in-scope variables we need to keep
{
local($self, $parse);
eval $code;
}

if ($@) {
err("Errors processing $_ : $@");
}
else {
$self->$_($c);
}
}

Suggestions very welcome.

--
Jesse S. Bangs http://www.velocityreviews.com/forums/(E-Mail Removed)
http://students.washington.edu/jaspax/
http://students.washington.edu/jaspax/blog

Jesus asked them, "Who do you say that I am?"

And they answered, "You are the eschatological manifestation of the ground
of our being, the kerygma in which we find the ultimate meaning of our
interpersonal relationship."

And Jesus said, "What?"
 
Reply With Quote
 
 
 
 
James Willmore
Guest
Posts: n/a
 
      09-01-2003
On Sun, 31 Aug 2003 21:55:49 -0700
JS Bangs <(E-Mail Removed)> wrote:
> I've got a module that will read an XML file that has code as the
> contents of some elements. I'd like to be able to capture this code
> as a code reference and pass that code reference to a function,
> without risking any internals.

<snip>
> Suggestions very welcome.


Correct me if I'm wrong, but you would like to do something like SAX?
If so, there are some modules to aid you in this on CPAN.

That's my two cents.

--
Jim
---
Copyright notice: all code written by the author in this post is
considered GPL. http://gnu.org for more information.
---
a real quote ...
Linus Torvalids: "They are somking crack ...."
(http://www.eweek.com/article2/0,3959,1227150,00.asp)
---
a fortune quote ...
"Right now I'm having amnesia and deja vu at the same time." --
Steven Wright
 
Reply With Quote
 
 
 
 
Charles DeRykus
Guest
Posts: n/a
 
      09-02-2003
In article <(E-Mail Removed) ngton.edu>,
JS Bangs <(E-Mail Removed)> wrote:
>All,
>
>I've got a module that will read an XML file that has code as the
>contents of some elements. I'd like to be able to capture this code as a
>code reference and pass that code reference to a function, without risking
>any internals. The following code works, but doesn't seem foolproof:
>
># %code, $self, and $parse defined elsewhere
>if (exists $code{$_}) {
> my $c;
> my $code = '$c = sub {' . $parse->{$_} . '}';
>
> # Prevent $code from modifying in-scope variables we need to keep
> {
> local($self, $parse);
> eval $code;
> }
>
> if ($@) {
> err("Errors processing $_ : $@");
> }
> else {
> $self->$_($c);
> }
>}
>


Wouldn't you almost certainly want to use the core Safe module
in case other wickedness creeps into the code...

HTH,
--
Charles DeRykus


 
Reply With Quote
 
Benjamin Goldberg
Guest
Posts: n/a
 
      09-02-2003


JS Bangs wrote:
>
> All,
>
> I've got a module that will read an XML file that has code as the
> contents of some elements. I'd like to be able to capture this code as a
> code reference and pass that code reference to a function, without risking
> any internals. The following code works, but doesn't seem foolproof:
>
> # %code, $self, and $parse defined elsewhere
> if (exists $code{$_}) {
> my $c;
> my $code = '$c = sub {' . $parse->{$_} . '}';
>
> # Prevent $code from modifying in-scope variables we need to keep
> {
> local($self, $parse);
> eval $code;
> }
>
> if ($@) {
> err("Errors processing $_ : $@");
> }
> else {
> $self->$_($c);
> }
> }
>
> Suggestions very welcome.


use Safe;
if( exists $code{$_} ) {
(my $safe = Safe->new)->permit_only(qw(:default));
my $c = $safe->reval("return sub { $parse->{$_} }");
if ($@) {
err("Errors processing $_ : $@");
} else {
$self->$_($c);
}
}

[untested; might not *really* be Safe]

Actually, I know for a fact that in some versions of perl, you can do some
really odd things in spite of being inside of a Safe object. For example,

[Windows 95] C:\WINDOWS>perl -MSafe -wle "LOOP: { print 1; Safe->new->reval('last LOOP'); print 2 } print 3"
1
Exiting eval via last at (eval 2) line 2.
Exiting subroutine via last at (eval 2) line 2.
Exiting eval via last at (eval 2) line 2.
Exiting subroutine via last at (eval 2) line 2.
3
Can't return outside a subroutine.

Of course, since you've been wholly trusting the contents of $parse->{$_}
so far (meaning, *anything* could have been done in it's code), you wouldn't
be doing any *worse* to eval the code inside of a Safe object.

--
$a=24;split//,240513;s/\B/ => /for@@=qw(ac ab bc ba cb ca
);{push(@b,$a),($a-=6)^=1 for 2..$a/6x--$|;print "$@[$a%6
]\n";((6<=($a-=6))?$a+=$_[$a%6]-$a%6$a=pop @b))&&redo;}
 
Reply With Quote
 
JS Bangs
Guest
Posts: n/a
 
      09-02-2003
Benjamin Goldberg sikyal:

> use Safe;
> if( exists $code{$_} ) {
> (my $safe = Safe->new)->permit_only(qw(:default));
> my $c = $safe->reval("return sub { $parse->{$_} }");
> if ($@) {
> err("Errors processing $_ : $@");
> } else {
> $self->$_($c);
> }
> }
>
> [untested; might not *really* be Safe]


This works very well. Thank you! I hadn't ever heard of the Safe module
before, so thanks for pointing this out to me.

> Of course, since you've been wholly trusting the contents of $parse->{$_}
> so far (meaning, *anything* could have been done in it's code), you wouldn't
> be doing any *worse* to eval the code inside of a Safe object.


Right. I'm actually letting general security issues within the code in
$parse->{$_} be Somebody Else's Problem. As the module writer, I need to
make sure that the code doesn't alter the internals of my module, but
making sure that the code doesn't maliciously use system() calls or do
other insecure buggery will be the responsibility of the person using the
module and providing the XML to parse.

--
Jesse S. Bangs (E-Mail Removed)
http://students.washington.edu/jaspax/
http://students.washington.edu/jaspax/blog

Jesus asked them, "Who do you say that I am?"

And they answered, "You are the eschatological manifestation of the ground
of our being, the kerygma in which we find the ultimate meaning of our
interpersonal relationship."

And Jesus said, "What?"
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Use eval() safely? W. Martin Borgert Python 6 02-25-2010 06:00 AM
eval('07') works, eval('08') fails, why? Alex van der Spek Python 6 01-08-2009 08:24 PM
eval() == evil? --- How to use it safely? Bruno Desthuilliers Python 17 09-03-2008 10:10 AM
DataBinder.Eval and Eval. craigkenisston@hotmail.com ASP .Net 1 06-16-2006 05:33 PM
DataBinder.Eval for an object's property property... like Eval(Container.DataItem,"Version.Major") Eric Newton ASP .Net 3 04-04-2005 10:11 PM



Advertisments