如何在Python中安全地使用exec()? [英] How to safely use exec() in Python?

问题描述

我的任务是构建一个应用程序，在该应用程序中最终用户可以使用自定义规则来评估返回的查询是警告还是警报(基于自己的阈值).

I have been tasked with building an application where an end user can have custom rules to evaluate whether a returned query results in a warning or alert (based on there own thresholds).

我为用户建立了一种模板化逻辑的方法.一个示例如下所示:

I've built a way for the user to template their logic. An example looks like this:

if (abs(<<21>>) >= abs(<<22>>)):
    retVal = <<21>>
else:
    retVal = <<22>>

<<21>>和<<22>>参数将替换为程序中较早发现的值.一旦发生所有这种替换，我就有一个非常简单的if/else块(在此示例中)，它看起来像这样存储在变量(execCd)中:

The <<21>> and <<22>> parameters will be substituted with values found earlier in the program. Once all this substitution occurs I have a very simple if/else block (in this example) that looks like this stored in a variable (execCd):

if (abs(22.0) >= abs(-162.0)):
    retVal = 22.0
else:
    retVal = -162.0

这将正确地exec().现在，我该如何确保呢?我看了这篇文章: http://lybniz2.sourceforge.net/safeeval.html

This will exec() correctly. Now, how can I secure this? I've looked at this article: http://lybniz2.sourceforge.net/safeeval.html

我的代码最终看起来像这样:

My code ends up looking like this:

safe_list = ['math','acos', 'asin', 'atan', 'atan2', 'ceil', 'cos', 'cosh', 'de grees', 'e', 'exp', 'fabs', 'floor', 'fmod', 'frexp', 'hypot', 'ldexp', 'log', 'log10', 'modf', 'pi', 'pow', 'radians', 'sin', 'sinh', 'sqrt', 'tan', 'tanh'] 
safe_dict = dict([ (k, locals().get(k, None)) for k in safe_list ]) 
safe_dict['abs'] = abs
exec(execCd,{"__builtins__":None},safe_dict)

但是，当我拥有第二个和第三个参数但该异常-NameError: name 'retVal' is not defined

However, the exec fails when I have the second and third parameter with this exception - NameError: name 'retVal' is not defined

最终用户拥有一些自定义逻辑，这些逻辑是相当广泛的，并且其中许多变化是定期进行的.我不想维护其自定义逻辑，最终用户希望能够快速测试各种警告/警报阈值逻辑.

Some of the custom logic the end users have is extensive and much of this changes on a fairly regular basis. I don't want to maintain their custom logic and end users want to be able to test various warning/alert threshold logic quickly.

如何从不安全(有意或无意)代码保护此exec语句?

How can I secure this exec statement from unsafe (either intentional or unintentional) code?

推荐答案

您的exec语句不是将retVal添加到您的本地环境中，而是添加到了safe_dict字典中.因此，您可以从那里取回它:

Your exec statement isn't adding retVal to your local environment, but to the safe_dict dictionary. So you can get it back from there:

execCd = """
if (abs(22.0) >= abs(-162.0)):
    retVal = 22.0
else:
    retVal = -162.0
"""

safe_list = ['math','acos', 'asin', 'atan', 'atan2', 'ceil', 'cos', 'cosh', 'de grees', 'e', 'exp', 'fabs', 'floor', 'fmod', 'frexp', 'hypot', 'ldexp', 'log', 'log10', 'modf', 'pi', 'pow', 'radians', 'sin', 'sinh', 'sqrt', 'tan', 'tanh'] 
safe_dict = dict([ (k, locals().get(k, None)) for k in safe_list ]) 
safe_dict['abs'] = abs
exec(execCd,{"__builtins__":None},safe_dict)
retVal = safe_dict["retVal"]

这篇关于如何在Python中安全地使用exec()?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！