Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of eval() #21

Open
deyceg opened this issue Mar 13, 2022 · 2 comments
Open

Use of eval() #21

deyceg opened this issue Mar 13, 2022 · 2 comments
Assignees
@Andrey9kin

Comments

@deyceg
Copy link

deyceg commented Mar 13, 2022

I don't see any sanitizing of custom rules so you'd be able to execute arbitrary python code.
@Andrey9kin
Copy link
Member

@deyceg Thank you for reporting this and yes eval is dangerous.

Do you see any low-hanging fruits that would help to mitigate this? I have been thinking of replacing eval with a rule engine but at the moment everything that I have seen is quite complex for comprehension and would prevent users from writing their own rules...

@Andrey9kin Andrey9kin moved this to Backlog in Open source Apr 22, 2022
@Andrey9kin Andrey9kin moved this from Backlog to Icebox in Open source Jun 1, 2022
@Andrey9kin
Copy link
Member

reading it one more time now and yes, we could try to do sanitization. will look into it

@Andrey9kin Andrey9kin moved this from Icebox to Backlog in Open source Jun 3, 2022
@Andrey9kin Andrey9kin self-assigned this Jun 3, 2022
@Andrey9kin Andrey9kin moved this from Backlog to Icebox in Open source Mar 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Andrey9kin Andrey9kin

Labels
None yet
Projects
Open source
Status: Icebox
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deyceg @Andrey9kin