“评估"应该讨厌吗? [英] Is 'eval' supposed to be nasty?

问题描述

我已经多次使用ruby的eval功能.但是我听说有人说eval很讨厌.当被问及原因和方式时，我永远无法说服不使用它的理由.他们真的很讨厌吗?如果是，以什么方式?评估可能有哪些更安全"的选择?

I have been using eval feature of ruby many a times. But I have heard people saying evals are nasty. When asked, why and how, I could never get a convincing reason not to use it. Are they really nasty? If yes, in what way? What are possible "safer" options to eval?

推荐答案

如果您正在eval由用户提交或可由用户修改的字符串，则等于允许执行任意代码.想象一下该字符串是否包含对rm -rf /或类似内容的OS调用.也就是说，在您知道字符串受到适当约束的情况下，或者在Ruby解释器被适当地沙盒化的情况下，或者理想情况下，这两个情况下，eval都可以非常强大.

If you are evaling a string submitted by, or modifiable by the user, this is tantamount to allowing arbitrary code execution. Imagine if the string contained an OS call to rm -rf / or similar. That said, in situations where you know the strings are appropriately constrained, or your Ruby interpreter is sandboxed appropriately, or ideally both, eval can be extraordinarily powerful.

如果您很熟悉，该问题类似于 SQL注入.这里的解决方案类似于注入问题(参数化查询)的解决方案.也就是说，如果已知您要eval的语句具有非常特定的形式，并且用户不需要提交该语句的 all ，则只需几个变量，一个数学表达式或类似内容，您可以从用户那里收录这些小片段，如有必要，请对其进行清理，然后在适当位置插入用户输入来评估安全模板语句.

The problem is analogous to SQL injection, if you're familiar. The solution here is similar to the solution to the injection problem (parameterized queries). That is, if the statements you would like to eval are known to be of a very specific form, and not all of the statement need be submitted by the user, only a few variables, a math expression, or similar, you can take in these small pieces from the user, sanitize them if necessary, then evaluate the safe template statement with the user input plugged in in the appropriate places.

这篇关于“评估"应该讨厌吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！