1

I'm trying to run a sample function that allows a user to execute arbitrary code

Note: I"m assuming this is ok because Azure Functions will by default provide a sandbox. (And the end user will need to write code with dataframes, objects etc. I've looked into pypy.org but don't think I need it as I am not worried about attacks that use it as a spambot or something): 

import os
import json
import ast
print('==============in python function========================')
postreqdata = json.loads(open(os.environ['req']).read())
response = open(os.environ['res'], 'w')
response.write("hello world from "+postreqdata['name'])
response.close()
logic = (postreqdata['logic'])
eval(logic)

but I keep getting the following output/error:

   2018-01-17T09:09:08.949 ==============in python function========================
2018-01-17T09:09:09.207 Exception while executing function: Functions.ccfinopsRunModel. Microsoft.Azure.WebJobs.Script: Traceback (most recent call last):
  File "D:\home\site\wwwroot\ccfinopsRunModel\run.py", line 12, in <module>
    eval(logic)
  File "<string>", line 1
    print('code sent from client')
        ^
SyntaxError: invalid syntax
.

My POST request body contains the following:

{
    "name": "Python Function App",
    "logic": "print('code sent from client')"
}

So the "logic" variable is being read in, and eval() is trying to interpret the string as python code, but it is causing a Syntax Error where there appears to be none.

What am I doing wrong? If there was a restriction on 'eval' I'm assuming it would say that instead of "Syntax Error"

Thanks for any help you can provide!

ASX
  • 635
  • 7
  • 18
  • Possible duplicate of [Why is Python's eval() rejecting this multiline string, and how can I fix it?](https://stackoverflow.com/questions/12698028/why-is-pythons-eval-rejecting-this-multiline-string-and-how-can-i-fix-it) – sytech Jan 17 '18 at 09:04

1 Answers1

1

Use exec to run your code. eval is used evaluating expressions.

logic = (postreqdata['logic'])
exec(logic)

Also can try sending your code as multi-line string as below,

>>> s = '''
for i in range(3):
    print("i")
'''
>>> exec(s)
0
1
2
Prakash Palnati
  • 3,231
  • 22
  • 35
  • I tried this, but got the same error. I also tried the AST eval version (even though it doesn't meet my needs) and got the same error ("Syntax Error") – ASX Jan 17 '18 at 08:45
  • try sending your code as multi line string and pass that to exec. There is no other reason for your code to fail. Edited my code with an example – Prakash Palnati Jan 17 '18 at 08:46
  • Actually i think the issue was both the exec + multiline together. using exec() + single line works. However, I'm trying to submit a "full script" (i.e. an arbitrary function, which will have line breaks, which I'm planning to concatenate with \n into 1 long string, and submit as a POST Body). How would I auto-format it if not with \n? Thanks for your help! EDIT: To clarify, since python scopes/runs functions by indentation...how would I preserve this when using exec, if not by \n and \t – ASX Jan 17 '18 at 09:36
  • you can make use of firepad which handles the code indentation before serilaizing and sending the code. Also send your code in a file and then read/parse – Prakash Palnati Jan 17 '18 at 10:43