bronx.syntax.minieval¶
Parse, check and execute single-line Python’s statements.
The Python ast module is leveraged in order to parse the code and look for
potential security hazards. Notably, access to attributes prefixed by ‘_’ are
forbidden and a few builtin method like globals or import are
deactivated.
The safe_eval() module level object provides access to the default
checker.
Examples:
# Security threats ?
>>> safe_eval('globals()[1].clear()') # doctest: +IGNORE_EXCEPTION_DETAIL
Traceback (most recent call last):
...
SingleLineStatementSecurityError: The "globals" builtin is not allowed
>>> safe_eval('stuff.__dict__.clear()', stuff='anyobject') # doctest: +IGNORE_EXCEPTION_DETAIL
Traceback (most recent call last):
...
SingleLineStatementSecurityError: The "__dict__" attribute is not allowed
# Missing variables ?
>>> safe_eval('a + 1') # doctest: +IGNORE_EXCEPTION_DETAIL
Traceback (most recent call last):
...
SingleLineStatementSecurityError: The "a" variable is not allowed at this particular location
# Let's show some usefull things...
>>> safe_eval('a + 1', a=1)
2
>>> print(safe_eval('["Member{:02d}".format(m) for m in members if m < 2]',
... members=range(0, 3)))
['Member00', 'Member01']
Module Attributes¶
- bronx.syntax.minieval.safe_eval = <bronx.syntax.minieval.SingleLineStatement object>
An object instantiated from the
SingleLineStatementchecker class.
Classes¶
- class bronx.syntax.minieval.SafetyCheckNodeVisitor(varnames)[source]¶
Bases:
NodeVisitorLook for security threats/errors in a given AST node.
In case something wrong is detected, a
SingleLineStatementSecurityErrorexception will be raised.- Parameters:
varnames – A list of allowed global variable names
- class bronx.syntax.minieval.SingleLineStatement(visit_cls=<class 'bronx.syntax.minieval.SafetyCheckNodeVisitor'>)[source]¶
Bases:
objectSafely parse, check and evaluate a code statement.
The interface of such a class is fairly simple. One just needs to create an object with no arguments and use:
The
check()method in order to verify the syntax and look for potential security threats in a code statement.Just call the object (
__call__()) in order to perform all checks and actually run the statement.
With both methods, a list of variables can be provided : only these variables will be allowed and usable in the code statement.
Warning
Do not use in sensitive/exposed softwares since the security provided by this class is probably very thin!
- Example:
See the top module examples.
- Parameters:
visit_cls (ast.NodeVisitor) – The class that is used to check the code statement
- check(statement, **kwargs)[source]¶
Parse and Check a code statement.
- Parameters:
statement (str) – The code statement
kwargs – The variables that can be used in the code statement
- Returns:
The ast node object representing the parsed statement
- Raises:
SingleLineStatementParsingError – if the ast package fails to parse the code statement (syntax error)
SingleLineStatementSecurityError – if something odd/forbidden is spotted in the code statement
Exceptions¶
- exception bronx.syntax.minieval.SingleLineStatementError[source]¶
Bases:
RuntimeErrorAny exception raised by the
SingleLineStatementorSafetyCheckNodeVisitorclasses.
- exception bronx.syntax.minieval.SingleLineStatementEvalError[source]¶
Bases:
SingleLineStatementErrorThe evaluation (i.e. execution) of the code statement failed.
- exception bronx.syntax.minieval.SingleLineStatementParsingError[source]¶
Bases:
SingleLineStatementErrorThe ast module was unable to parse the code statement (Syntax Error).
- exception bronx.syntax.minieval.SingleLineStatementSecurityError[source]¶
Bases:
SingleLineStatementErrorAn unauthorised piece of code has been detected.