safe_eval()

ros · Sep 3, 2021 · 9941961 · 9941961 · gavanderhoorn · Sep 9, 2021
1 parent 5c12898
commit 9941961
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/src/xacro/__init__.py b/src/xacro/__init__.py
@@ -120,10 +120,10 @@ def __getattr__(self, item):
 
 def construct_angle_radians(loader, node):
     """utility function to construct radian values from yaml"""
-    value = loader.construct_scalar(node).strip()
+    value = loader.construct_scalar(node)
     try:
-        return float(eval(value, global_symbols, global_symbols))
-    except SyntaxError as e:
+        return float(safe_eval(value, global_symbols))
+    except SyntaxError:
         raise XacroException("invalid expression: %s" % value)
 
 
@@ -156,13 +156,24 @@ def load_yaml(filename):
 # taking simple security measures to forbid access to __builtins__
 # only the very few symbols explicitly listed are allowed
 # for discussion, see: http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
-global_symbols = {'__builtins__': {k: __builtins__[k] for k in ['list', 'dict', 'map', 'len', 'str', 'float', 'int', 'True', 'False', 'min', 'max', 'round']}}
+global_symbols = {k: __builtins__[k] for k in
+                    ['list', 'dict', 'map', 'len', 'str', 'float', 'int',
+                     'True', 'False', 'min', 'max', 'round']}
 # also define all math symbols and functions
 global_symbols.update(math.__dict__)
 # expose load_yaml, abs_filename, and dotify
 global_symbols.update(dict(load_yaml=load_yaml, abs_filename=abs_filename_spec, dotify=YamlDictWrapper))
 
 
+def safe_eval(expr, globals, locals=None):
+    code = compile(expr.strip(), "<expression>", "eval")
+    invalid_names = [n for n in code.co_names if n.startswith("__")]
+    if invalid_names:
+        raise XacroException("Use of invalid name(s): ", ', '.join(invalid_names))
+    globals.update(__builtins__= {})  # disable default builtins
+    return eval(code, globals, locals)
+
+
 class XacroException(Exception):
     """
     XacroException allows to wrap another exception (exc) and to augment
@@ -683,7 +694,7 @@ def grab_properties(elt, table):
 def eval_text(text, symbols):
     def handle_expr(s):
         try:
-            return eval(eval_text(s, symbols), global_symbols, symbols)
+            return safe_eval(eval_text(s, symbols), global_symbols, symbols)
         except Exception as e:
             # re-raise as XacroException to add more context
             raise XacroException(exc=e,