Skip to content

Prevent arbitrary code eval #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 27, 2024
Merged

Prevent arbitrary code eval #236

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2a18ba9
prevent arbitrary code eval
zm711 Jul 31, 2024
298c01f
fix for bytes
zm711 Jul 31, 2024
bb65193
remove is in place
zm711 Jul 31, 2024
3430bab
fix for octet as well
zm711 Jul 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion quantities/registry.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
"""
"""

import copy
import re
import builtins


class UnitRegistry:
Expand All @@ -16,6 +16,17 @@ def __init__(self):
self.__context = {}

def __getitem__(self, string):

# easy hack to prevent arbitrary evaluation of code
all_builtins = dir(builtins)
# because we have kilobytes, other bytes we have to remove bytes
all_builtins.remove("bytes")
# have to deal with octet as well
all_builtins.remove("oct")
for builtin in all_builtins:
if builtin in string:
raise RuntimeError(f"String parsing error for {string}. Enter a string accepted by quantities")

try:
return eval(string, self.__context)
except NameError:
Expand Down
Loading