An alternative approach to avoiding arbitrary evaluation of code when parsing strings as units #251
Conversation
… parsing strings as units. Based on https://stackoverflow.com/a/11952618 by https://stackoverflow.com/users/567292/ecatmur Fixes python-quantities#250 Also added test for the original issue: python-quantities#221
|
@codingchipmunk @zm711 please could you take a look at this? |
|
Sure I'll look this afternoon :) |
quantities/registry.py
Outdated
| whitelist = ( | ||
| ast.Expression, | ||
| ast.Constant, | ||
| ast.Name, | ||
| ast.Load, | ||
| ast.BinOp, | ||
| ast.UnaryOp, | ||
| ast.operator, | ||
| ast.unaryop, | ||
| ast.Num, | ||
| ) |
There was a problem hiding this comment.
I think I would need to carefully check this for our whitelist to make sure everything gets through. But this seems like a great idea overall. Do we want to add a comment to the stackoverflow so we know where the idea came from? This strategy is super cool, but I don't think it would be understandable to a new developer without a comment or link.
There was a problem hiding this comment.
All of the quantities and Neo core tests pass with this whitelist, but yes, I would like some more eyes on this.
I originally thought adding the link to the SO post in the PR was sufficient, but on reflection I think you're right, it should also be added as a comment in the code.
There was a problem hiding this comment.
I accidentally deleted my quantities dev env. I'll make a new one and run some tests to see, but neo tests passing makes me feel better! I'll try to read a bit more on the ast stuff and let you know soon if I find anything.
There was a problem hiding this comment.
Goofy example of what a user could do with current white list. Not security risk, but also nonsense.
try this:
>>> pq.CompoundUnit('5*5*5')
1 (5*5*5)actually I guess we can't defend against this since we have compound units that need multiply and divide in them. I wish we could think of something that would protect against this.
There was a problem hiding this comment.
well, we could write a formal grammar for these strings, using pyparsing for example, but that seems like overkill, and might have a performance impact.
There was a problem hiding this comment.
No, I've been reflecting more and I think this is fine as is. I think that my example is misuse by the user. I wish we could protect the user, but if they want to do something like this it's on them. We've protected from the security risk so I'm good with this.
quantities/registry.py
Outdated
| whitelist = ( | ||
| ast.Expression, | ||
| ast.Constant, | ||
| ast.Name, | ||
| ast.Load, | ||
| ast.BinOp, | ||
| ast.UnaryOp, | ||
| ast.operator, | ||
| ast.unaryop, | ||
| ast.Num, | ||
| ) |
There was a problem hiding this comment.
Goofy example of what a user could do with current white list. Not security risk, but also nonsense.
try this:
>>> pq.CompoundUnit('5*5*5')
1 (5*5*5)actually I guess we can't defend against this since we have compound units that need multiply and divide in them. I wish we could think of something that would protect against this.
and will be removed in Python 3.14 Co-authored-by: Zach McKenzie <[email protected]>
Based on https://stackoverflow.com/a/11952618 by https://stackoverflow.com/users/567292/ecatmur
Fixes #250
Also added test for the original issue: #221