is there security issue if you use eval() with locals only?

Asked Jun 08 '18 at 11:40

Active Jun 08 '18 at 11:40

Viewed 29 times

So I am loading some 'code' from a database. it is mostly string representation of some class.

so let says you have a custom class that look like MyClass(name=hello)

my code would look something like this:

import MyClass
string_rep_of_class = 'MyClass(name=hello)'
eval(string_rep_of_class, {'__builtins__': None}, {'MyClass': MyClass})

because I am not exposing bultins and only exposing the local MyClass is there a security issue I am missing or this is a pretty safe approach?

Thanks

asked Jun 08 '18 at 11:40

Steven G

2

relevant: https://stackoverflow.com/questions/35804961/python-eval-is-it-still-dangerous-if-i-disable-builtins-and-attribute-access/35808710 – Chris_Rands Jun 08 '18 at 11:42
@Chris_Rands ya thats sums it up pretty clearly thanks – Steven G Jun 08 '18 at 11:44

0 Answers0