-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
de-serialization Query() statement for search is there a way not use eval #528
Comments
yeah based on the function you provided there is a code execution bug in the function read().
Here is the code that i have used and this is my console after i ran this: Better way to write this read function is to add sanitization and filters so that it detects any malicious data. For example this is the example of safer read function:
This function is restricting any use of functions in the eval which is good enough i guess. Code still can be executed but there is nothing to worry about since no functions can be called. I hope this helps with you understand why the eval is bad and that your function had a deadly bug! |
Thanks I will use that, but I was hoping I could just write Maybe a future feature request :-) Thanks again, solution works as a dream, we keep 10K backlog links here now. |
no problem fenchu, i am glad i was able to solve your problem! Best regards, deadoverflow |
I just looked at tindydb for a simple backward lookup-table in our gitlab job-board.
Works fine, but Snykt (our security analysis software) bails at the eval I have used.
Eval is terrible, but eval in an input parameter on a rest api it a no-go.
Any way to omit the eval?
calling it
read("jobid==1139998"))
returning:This is called from a rest-api so I have to send a string query not a statement.
The text was updated successfully, but these errors were encountered: