2010-06-01 08:32:56 +00:00
|
|
|
- |
|
2010-12-03 14:20:35 +00:00
|
|
|
To check that common dangerous operations are not allowed by the safe_eval mechanism, attempt to
|
|
|
|
evaluate unauthorized expressions, and verify that they trigger an error.
|
2010-06-01 08:32:56 +00:00
|
|
|
-
|
|
|
|
1. Try a few common expressions to verify they work with safe_eval
|
|
|
|
-
|
|
|
|
!python {model: ir.model}: |
|
|
|
|
from tools.safe_eval import safe_eval
|
|
|
|
expected = (1, {"a": 9 * 2}, (True, False, None))
|
|
|
|
actual = safe_eval('(1, {"a": 9 * 2}, (True, False, None))')
|
|
|
|
assert actual == expected, "Simple python expressions are not working with safe_eval"
|
|
|
|
-
|
|
|
|
2. Try simple literal definition to verify it works with literal_eval
|
|
|
|
-
|
|
|
|
!python {model: ir.model}: |
|
|
|
|
from tools.safe_eval import literal_eval
|
|
|
|
expected = (1, {"a": 9}, (True, False, None))
|
|
|
|
actual = literal_eval('(1, {"a": 9}, (True, False, None))')
|
|
|
|
assert actual == expected, "Simple python expressions are not working with literal_eval"
|
|
|
|
-
|
|
|
|
3. Try arithmetic expression in literal_eval to verify it does not work
|
|
|
|
-
|
|
|
|
!python {model: ir.model}: |
|
|
|
|
from tools.safe_eval import literal_eval
|
|
|
|
try:
|
|
|
|
literal_eval('(1, {"a": 2*9}, (True, False, None))')
|
|
|
|
assert False, "literal_eval should not accept arithmetic expressions"
|
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
-
|
|
|
|
4. Try forbidden expressions in literal_eval to verify they are not allowed
|
|
|
|
-
|
|
|
|
!python {model: ir.model}: |
|
|
|
|
from tools.safe_eval import literal_eval
|
|
|
|
try:
|
|
|
|
literal_eval('{"a": True.__class__}')
|
|
|
|
assert False, "literal_eval should accept only literals"
|
|
|
|
except ValueError:
|
|
|
|
pass
|
|
|
|
-
|
|
|
|
5. Try forbidden expressions in safe_eval to verify they are not allowed (open)
|
|
|
|
-
|
|
|
|
!python {model: ir.model}: |
|
|
|
|
from tools.safe_eval import safe_eval
|
|
|
|
try:
|
|
|
|
safe_eval('open("/etc/passwd","r")')
|
2010-12-03 14:20:35 +00:00
|
|
|
assert False, "safe_eval should not allow calling open() builtin"
|
2010-06-01 08:32:56 +00:00
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
except:
|
|
|
|
# NameError should be raised because open() builtin is not found,
|
|
|
|
# but other exceptions probably indicate that open() was executed!
|
2010-12-03 14:20:35 +00:00
|
|
|
assert False, "safe_eval should not allow calling open() builtin"
|
2010-06-01 08:32:56 +00:00
|
|
|
|