Merge pull request #584 from nickila/okta_whitelist

Added whitelist for functions available inside of eval()
adobe-apiplatform · Mar 23, 2020 · ea6a758 · ea6a758
2 parents d79bdb0 + e126106
commit ea6a758
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/user_sync/connector/directory_okta.py b/user_sync/connector/directory_okta.py
@@ -309,8 +309,15 @@ def iter_search_result(self, filter_string, attributes):
         return users
 
     def filter_users(self, users, filter_string):
+        # Allow the following builtin functions to be used in eval()
+        whitelist = {
+            "len": len, "int": int, "float": float, "str": str, "enumerate": enumerate, "filter": filter,
+            "getattr": getattr, "hasattr": hasattr, "list": list, "map": map, "max": max, "min": min,
+            "range": range, "sorted": sorted, "sum": sum, "tuple": tuple, "zip": zip
+        }
+
         try:
-            return list(filter(lambda user: eval(filter_string), users))
+            return list(filter(lambda user: eval(filter_string, {"__builtins__": whitelist}, {"user": user}), users))
         except SyntaxError as e:
             raise AssertionException("Invalid syntax in predicate (%s): cannot evaluate" % filter_string)
         except Exception as e: