1

I m making a irc bot https://github.com/mouuff/MouBot I would like the bot to reply the eval() when the message starts with !math but its creating failures if the user enter something like !math exit() and stuff like that

Jk1
  • 11,233
  • 9
  • 54
  • 64
Arnaud Aliès
  • 1,079
  • 13
  • 26
  • 3
    Please include the relevant parts of your code here. Or if you're really just looking for a simple `eval` without functions, [`ast.literal_eval`](http://docs.python.org/2/library/ast.html?highlight=ast#ast.literal_eval) should do the trick. – Ry- Nov 03 '12 at 17:51
  • 1
    "safe eval" - what a wonderful oxymoron... If you've got an IRC bot in a channel with an `eval()` - everyone's going to abuse it - so don't do it... (or at least have some form of access control - (equiv. to owner level on eggdrop) so only people that can already mess things up can do so). If you just want "!math" - then have a look at `pyparsing` and one of its calculator examples, which can parse a string and return a result if necessary – Jon Clements Nov 03 '12 at 17:54
  • 1
    There is no such thing as a safe eval – Daniel Nov 03 '12 at 17:57
  • 1
    Even if you had a safe eval (in the sense that the user couldn't do anything obviously black-hat), you'd also have to handle the case where someone enters `9**9**9`, which is roughly 4.2812477317574708e+369693099. Python will happily try to compute all the digits, and there are lots of other DOS attack vectors this way. You can deal with these if you pay close attention when walking the AST, but it's a headache. – DSM Nov 03 '12 at 18:07

5 Answers5

4

Don't.

It looks like you are trying to create a math parser. Then use a math parser, not a full-fledged I-will-run-any-code-parser. If you are using *nix, you could use a program like bc to do what you want.

Bart Friederichs
  • 33,050
  • 15
  • 95
  • 195
1

Use the language services to compile it into an AST, walk the AST making sure that it contains only whitelisted node sets, then execute it.

Example implementation courtesy of unutbu

Community
  • 1
  • 1
Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
0

The issue with eval() is that when it is executed, it is valid python code, and the exit() is a valid part of python code, which usually exit's a program (although this specific function should be used in IDLE, and sys.exit() is preffered in non-idle use).

For this reason, eval() should only be used with trusted input, or you should implement a parser for the commands passed to the eval() function, as to elliminate undesirable input (possibly take a look at the shlex module for their split() function if you wish to implement your own, I have used it for many parsers).

IT Ninja
  • 6,174
  • 10
  • 42
  • 65
0

If you want simple math evaluation why you want to bring whole might of Python behind it, which can and will be abused.

Use something like PyParsing to write a simple calculator e.g. see SimpleCalc.py or fournfn.py , I think those would be enough to get you started. You can also try SimpleParse

and if you DO want to provide eval like powerful and abusable feature, you should start a VM, in which start server processes which will reply to eval queries, and also limit each process using cgroups, when VM goes down start another one or keep a pool of VM and eval processes.

Anurag Uniyal
  • 85,954
  • 40
  • 175
  • 219
0

I am not sure it could help you but look at this -> http://doc.pypy.org/en/latest/sandbox.html

or this -> Is there an alternative to rexec for Python sandboxing?

Community
  • 1
  • 1
Liso
  • 2,165
  • 1
  • 16
  • 19