Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ADD] eval-referenced: Detects if a "eval" is referenced (without call it) #101

Merged
merged 2 commits into from
Jan 2, 2017
Merged

[ADD] eval-referenced: Detects if a "eval" is referenced (without call it) #101

merged 2 commits into from
Jan 2, 2017

Conversation

JesusZapata
Copy link
Member

Detects referenced and inferred cases

def func2(param): 
       param("c = 2")

 def func3():
     my_dict = {
         'my_eval': eval,  # [eval-referenced]
     }
     my_list = [eval]  # [eval-referenced]
 
     my_var = eval  # [eval-referenced]
     # inferred case
     my_var('d = 3')  # [eval-referenced]
     func2(eval)  # [eval-referenced]
     return my_dict, my_list

@JesusZapata JesusZapata changed the title [IMP] Detected use exec, eval and inferred cases [FIX] pylint_odoo: Solving conflicts Dec 30, 2016
@JesusZapata JesusZapata changed the title [FIX] pylint_odoo: Solving conflicts [IMP] Detected use eval and inferred cases Dec 30, 2016
@JesusZapata JesusZapata changed the title [IMP] Detected use eval and inferred cases [ADD] eval-referenced: Detects if a "eval" is referenced (without call it) Dec 30, 2016
@JesusZapata JesusZapata force-pushed the master-oca-detected-eval-referenced-jesuszapata branch from e304d23 to 064449e Compare December 30, 2016 19:33
[ADD] eval-referenced: Detects if a "eval" is referenced (without cal…
8002bd7 
…l it)

Cases detected:
my_dict = {
    'my_eval': eval,  # [eval-used]

}
my_list = [eval]  # [eval-used]
my_var = eval  # [eval-used]
my_var('d = 3')  # [eval-used]
func2(eval)  # [eval-used]
@JesusZapata JesusZapata force-pushed the master-oca-detected-eval-referenced-jesuszapata branch from 064449e to 8002bd7 Compare December 30, 2016 19:40
@moylop260
Copy link
Collaborator

moylop260 commented Dec 31, 2016
edited
Loading

The history of this check is funny.

I reviewed a old code because a translation wasn't loaded.
Then I found a context used from report like as:

context_used_in_report = {
   'eval': eval,
}

You know, the report is a template data loaded directly in the database.
Then a user could change the template and run any eval sentence!

The big vulnerability was injected 😢

pylint native detects just eval() invoke but not eval assignation or referenced.

Really this case is very dangerous and so hard to detect visually.
Then this check born thanks to that case.

FYI maintainer of pylint don't like this check pylint-dev/pylint#1215
because they are using a local template with eval from dict (Without database for users) then in that context is not dangerous, but for odoo is other case.

@lasley @pedrobaeza

@pedrobaeza
Copy link
Member

OK, I see the potential problem, and indeed we can detect this. In Odoo modules, no eval should be used (only safe_eval).

@lasley
Copy link
Contributor

lasley commented Dec 31, 2016
edited
Loading

Yeah I think this is a good idea @JesusZapata & @moylop260 - thank you.

I see where the maintainers of PyLint are coming from, but here in Odoo land it is like @pedrobaeza says - there is never a reason in which we should not be using safe_eval

lasley
lasley reviewed Dec 31, 2016
View reviewed changes
pylint_odoo/test_repo/no_odoo_module/eval_used.py
# -*- coding: utf-8 -*-


def func2(param):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we name these methods something a little more descriptive? I know they're test methods, but func2 and func3 really hold no context on their own and require that you read the methods, or at least the doc block, to understand what they are doing.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was extracted from original test of pylint.
Here we can fails all good practices.
But we dont have problem to change it
What is a good name for you in this case?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ummm maybe something similar to the docblocks? eval_from_param and eval_from_other?

lasley
lasley approved these changes Jan 2, 2017
View reviewed changes
Copy link
Contributor

@lasley lasley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thansk @JesusZapata

@JesusZapata
Copy link
Member Author

@lasley Thanks

@moylop260
Copy link
Collaborator

@JesusZapata
After merge this one you should create a new PR to enable this new check from MQT

@moylop260 moylop260 merged commit 5f9c304 into OCA:master Jan 2, 2017
@moylop260 moylop260 deleted the master-oca-detected-eval-referenced-jesuszapata branch January 2, 2017 18:49
@JesusZapata
Copy link
Member Author

@moylop260 Done! OCA/maintainer-quality-tools#403

@moylop260 moylop260 mentioned this pull request Jan 3, 2017
Merged
@antonag32 antonag32 mentioned this pull request Oct 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moylop260 moylop260 moylop260 approved these changes

@lasley lasley lasley approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@JesusZapata @moylop260 @pedrobaeza @lasley