Some axes.prop_cycler param improvements.

WeatherGod · WeatherGod · commit f4436294d7f1 · 2015-08-15T17:23:22.000-04:00
* Restricted prop_cycler to only have cycler() available
* Added tests for both nominal and fail cases.
* Even added some potential malicious strings to test fail.
diff --git a/lib/matplotlib/rcsetup.py b/lib/matplotlib/rcsetup.py
@@ -323,11 +323,30 @@ def validate_cycler(s):
     if isinstance(s, six.string_types):
         try:
             # TODO: We might want to rethink this...
-            cycler_inst = eval(s, {'cycler': cycler, 'Cycler': Cycler})
+            # While I think I have it quite locked down,
+            # it is execution of arbitrary code without
+            # sanitation.
+            # Combine this with the possibility that rcparams
+            # might come from the internet (future plans), this
+            # could be downright dangerous.
+            # I locked it down by only having the 'cycler()' function
+            # available. Imports and defs should not
+            # be possible. However, it is entirely possible that
+            # a security hole could open up via attributes to the
+            # function (this is why I decided against allowing the
+            # Cycler class object just to reduce the number of
+            # degrees of freedom (but maybe it is safer to use?).
+            # One possible hole I can think of (in theory) is if
+            # someone managed to hack the cycler module. But, if
+            # someone does that, this wouldn't make anything
+            # worse because we have to import the module anyway.
+            s = eval(s, {'cycler': cycler})
         except BaseException as e:
             raise ValueError("'%s' is not a valid cycler construction: %s" %
                              (s, e))
-    elif isinstance(s, Cycler):
+    # Should make sure what comes from the above eval()
+    # is a Cycler object.
+    if isinstance(s, Cycler):
         cycler_inst = s
     else:
         raise ValueError("object was not a string or Cycler instance: %s" % s)
diff --git a/lib/matplotlib/tests/test_rcparams.py b/lib/matplotlib/tests/test_rcparams.py
@@ -8,6 +8,8 @@
 import sys
 import warnings
 
+from cycler import cycler, Cycler
+
 import matplotlib as mpl
 import matplotlib.pyplot as plt
 from matplotlib.tests import assert_str_equal
@@ -22,7 +24,8 @@
                                 validate_stringlist,
                                 validate_bool,
                                 validate_nseq_int,
-                                validate_nseq_float)
+                                validate_nseq_float,
+                                validate_cycler)
 
 
 mpl.rc('text', usetex=False)
@@ -238,13 +241,14 @@ def test_Issue_1713():
         del os.environ['LANG']
     assert rc.get('timezone') == 'UTC'
 
-if __name__ == '__main__':
-    nose.runmodule(argv=['-s', '--with-doctest'], exit=False)
-
 
 def _validation_test_helper(validator, arg, target):
     res = validator(arg)
-    assert_equal(res, target)
+    if not isinstance(target, Cycler):
+        assert_equal(res, target)
+    else:
+        # Cyclers can't simply be asserted equal. They don't implement __eq__
+        assert_equal(list(res), list(target))
 
 
 def _validation_fail_helper(validator, arg, exception_type):
@@ -293,8 +297,35 @@ def test_validators():
                   for _ in ('aardvark', ('a', 1),
                             (1, 2, 3)
                             ))
-        }
-
+        },
+        {'validator': validate_cycler,
+         'success': (('cycler("color", "rgb")',
+                      cycler("color", 'rgb')),
+                     (cycler('linestyle', ['-', '--']),
+                      cycler('linestyle', ['-', '--'])),
+                     ("""(cycler("color", ["r", "g", "b"]) +
+                          cycler("mew", [2, 3, 5]))""",
+                      cycler("color", 'rgb') + cycler("mew", [2, 3, 5])),
+                    ),
+         # This is *so* incredibly important: validate_cycler() eval's
+         # an arbitrary string! I think I have it locked down enough,
+         # and that is what this is testing.
+         # TODO: Note that these tests are actually insufficient, as it may
+         # be that they raised errors, but still did an action prior to
+         # raising the exception. We should devise some additional tests
+         # for that...
+         'fail': ((4, ValueError),  # Gotta be a string or Cycler object
+                  ('cycler("bleh, [])', ValueError),  # syntax error
+                  ('Cycler("linewidth", [1, 2, 3])',
+                      ValueError),  # only 'cycler()' function is allowed
+                  ('1 + 2', ValueError),  # doesn't produce a Cycler object
+                  ('os.system("echo Gotcha")', ValueError),  # os not available
+                  ('import os', ValueError),  # should not be able to import
+                  ('def badjuju(a): return a; badjuju(cycler("color", "rgb"))',
+                      ValueError),  # Should not be able to define anything
+                                    # even if it does return a cycler
+                 )
+        },
     )
 
     for validator_dict in validation_tests:
@@ -331,3 +362,7 @@ def test_rcparams_reset_after_fail():
                 pass
 
         assert mpl.rcParams['text.usetex'] is False
+
+
+if __name__ == '__main__':
+    nose.runmodule(argv=['-s', '--with-doctest'], exit=False)
