What YAML engine do you use?

Michael Spencer mahs at telcopartners.com
Mon Jan 24 13:47:32 EST 2005 

Fredrik Lundh wrote:
> Sion Arrowsmith wrote:
>>I'm probably not thinking deviously enough here, but how are you
>>going to exploit an eval() which has very tightly controlled
>>globals and locals (eg. eval(x, {"__builtins__": None}, {}) ?
> 
> try this:
> 
>     eval("'*'*1000000*2*2*2*2*2*2*2*2*2")
> 

I updated the safe eval recipe I posted yesterday to add the option of reporting 
unsafe source, rather than silently ignoring it.  Is this completely safe?  I'm 
interested in feedback.

Michael

Some source to try:

  >>> goodsource =  """[1, 2, 'Joe Smith', 8237972883334L,   # comment
  ...       {'Favorite fruits': ['apple', 'banana', 'pear']},  # another comment
  ...       'xyzzy', [3, 5, [3.14159, 2.71828, []]]]"""
  ...

Unquoted string literal
  >>> badsource = """[1, 2, JoeSmith, 8237972883334L,   # comment
  ...       {'Favorite fruits': ['apple', 'banana', 'pear']},  # another comment
  ...       'xyzzy', [3, 5, [3.14159, 2.71828, []]]]"""
  ...
Non-constant expression
  >>> effbot = "'*'*1000000*2*2*2*2*2*2*2*2*2"

  >>> safe_eval(good_source)
[1, 2, 'Joe Smith', 8237972883334L, {'Favorite fruits': ['apple', 'banana', 
'pear']}, 'xyzzy', [3, 5, [3.1415899999999999, 2.71828, []]]]
  >>> assert _ == eval(good_source)

  >>> safe_eval(bad_source)
Traceback (most recent call last):
   [...]
Unsafe_Source_Error: Line 1.  Strings must be quoted: JoeSmith

  >>> safe_eval(bad_source, fail_on_error = False)
[1, 2, None, 8237972883334L, {'Favorite fruits': ['apple', 'banana', 'pear']}, 
'xyzzy', [3, 5, [3.1415899999999999, 2.71828, []]]]

  >>> safe_eval(effbot)
Traceback (most recent call last):
   [...]
Unsafe_Source_Error: Line 1.  Unsupported source construct: compiler.ast.Mul

  >>> safe_eval(effbot, fail_on_error = False)
  ...
'*'
  >>>

Source:

import compiler

class Unsafe_Source_Error(Exception):
     def __init__(self,error,descr = None,node = None):
         self.error = error
         self.descr = descr
         self.node = node
         self.lineno = getattr(node,"lineno",None)

     def __repr__(self):
         return "Line %d.  %s: %s" % (self.lineno, self.error, self.descr)
     __str__ = __repr__

class AbstractVisitor(object):
     def __init__(self):
         self._cache = {} # dispatch table

     def visit(self, node,**kw):
         cls = node.__class__
         meth = self._cache.setdefault(cls,
             getattr(self,'visit'+cls.__name__,self.default))
         return meth(node, **kw)

     def default(self, node, **kw):
         for child in node.getChildNodes():
             return self.visit(child, **kw)
     visitExpression = default

class SafeEval(AbstractVisitor):

     def visitConst(self, node, **kw):
         return node.value

     def visitDict(self,node,**kw):
         return dict([(self.visit(k),self.visit(v)) for k,v in node.items])

     def visitTuple(self,node, **kw):
         return tuple(self.visit(i) for i in node.nodes)

     def visitList(self,node, **kw):
         return [self.visit(i) for i in node.nodes]

class SafeEvalWithErrors(SafeEval):

     def default(self, node, **kw):
         raise Unsafe_Source_Error("Unsupported source construct",
                                 node.__class__,node)

     def visitName(self,node, **kw):
         raise Unsafe_Source_Error("Strings must be quoted",
                                  node.name, node)

     # Add more specific errors if desired


def safe_eval(source, fail_on_error = True):
     walker = fail_on_error and SafeEvalWithErrors() or SafeEval()
     try:
         ast = compiler.parse(source,"eval")
     except SyntaxError, err:
         raise
     try:
         return walker.visit(ast)
     except Unsafe_Source_Error, err:
         raise

More information about the Python-list mailing list