Security of Python’s eval() on untrusted strings?

by

eval() will allow malicious data to compromise your entire system, kill your cat, eat your dog and make love to your wife.

There was recently a thread about how to do this kind of thing safely on the python-dev list, and the conclusions were:

  • It’s really hard to do this properly.
  • It requires patches to the python interpreter to block many classes of attacks.
  • Don’t do it unless you really want to.

Start here to read about the challenge: http://tav.espians.com/a-challenge-to-break-python-security.html

What situation do you want to use eval() in? Are you wanting a user to be able to execute arbitrary expressions? Or are you wanting to transfer data in some way? Perhaps it’s possible to lock down the input in some way.

More Related Contents:

  1. Why is using ‘eval’ a bad practice?
  2. Using python’s eval() vs. ast.literal_eval()
  3. What’s the difference between eval, exec, and compile?
  4. What does Python’s eval() do?
  5. What are the risks of running ‘sudo pip’?
  6. Dynamically evaluate an expression from a formula in Pandas
  7. I need to securely store a username and password in Python, what are my options? [closed]
  8. Python: make eval safe [duplicate]
  9. hash function in Python 3.3 returns different results between sessions
  10. Is distributing python source code in Docker secure?
  11. Use of eval in Python?
  12. Python eval: is it still dangerous if I disable builtins and attribute access?
  13. Hiding a password in a python script (insecure obfuscation only)
  14. Python: How can I run eval() in the local scope of a function
  15. AttributeError: ‘PandasExprVisitor’ object has no attribute ‘visit_Ellipsis’, using pandas eval
  16. Change to sudo user within a python script
  17. Securely Erasing Password in Memory (Python)
  18. Python 3, Are there any known security holes in ast.literal_eval(node_or_string)?
  19. Why does ast.literal_eval(‘5 * 7’) fail?
  20. Is a SQLAlchemy query vulnerable to injection attacks?
  21. Is this Python code vulnerable to SQL injection? (SQLite3)
  22. Create a temporary FIFO (named pipe) in Python?
  23. Encrypted and secure docker containers
  24. Google Authenticator implementation in Python
  25. Do CSRF attacks apply to API’s?
  26. eval fails in list comprehension [duplicate]
  27. Converting python string into bytes directly without eval()
  28. What’s the purpose of Django setting ‘SECRET_KEY’?
  29. How does str(list) work?
  30. Running Python code contained in a string

Leave a Comment