Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evaluator crash on complex assignment target in list comprehension #76

Open
lubieowoce opened this issue Sep 23, 2020 · 3 comments
Open

Evaluator crash on complex assignment target in list comprehension #76

lubieowoce opened this issue Sep 23, 2020 · 3 comments
Labels
bug enhancement next release

Comments

@lubieowoce
Copy link

lubieowoce commented Sep 23, 2020
edited
Loading

simpleeval 0.9.10

So I just remembered that any valid assignment target can be used in a list comprehension! i.e. something like [... for foo[0] in ...] is valid syntax.

Expected behavior

>>> [x for x in ([None],) for x[0] in (15,)]
[[15]]

Actual behavior

>>> EvalWithCompoundTypes('[x for x in ([None],) for x[0] in (15,)]')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "LIBPATH/simpleeval.py", line 539, in eval
    return super(EvalWithCompoundTypes, self).eval(expr)
  File "LIBPATH/simpleeval.py", line 332, in eval
    return self._eval(ast.parse(expr.strip()).body[0].value)
  File "LIBPATH/simpleeval.py", line 343, in _eval
    return handler(node)
  File "LIBPATH/simpleeval.py", line 597, in _eval_comprehension
    do_generator()
  File "LIBPATH/simpleeval.py", line 592, in do_generator
    do_generator(gi+1)
  File "LIBPATH/simpleeval.py", line 589, in do_generator
    recurse_targets(g.target, i)
  File "LIBPATH/simpleeval.py", line 579, in recurse_targets
    for t, v in zip(target.elts, value):
AttributeError: 'Subscript' object has no attribute 'elts'
@lubieowoce
Copy link
Author

also this trick can be used to construct a list that contains itself:

>>> [x for x in ([None],) for x[0] in (x,)]
[[[...]]]

repr() is smart enough to handle the infinite-ness, but it can probably still be used to crash something:

>>> [x for x in ([None],) for x[0] in (x,)] == [x for x in ([None],) for x[0] in (x,)]
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
RecursionError: maximum recursion depth exceeded in comparison

@danthedeckie
Copy link
Owner

danthedeckie commented Feb 17, 2023
edited
Loading

That's... fun - definitely something to handle better than that!

I'm not tooooo worried about it, it's a bug, in that it throws a non-SimpleEval exception, but I don't believe there are any security implications.

Although, it would be good to add to the documentation that users should probably wrap any public facing usage of SimpleEval in a try:catch and log errors themselves...?

@lubieowoce
Copy link
Author

lubieowoce commented Feb 25, 2023
edited
Loading

Hah, wow, that's an old one! I haven't done Python in a couple years so thanks for the reminder, this was a fun hack. I'm not sure if exploitability is a big worry here... i guess this circularity construction could maaaaaaybe be used as a DoS vector somehow. But i don't currently have ideas for how that'd work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug enhancement next release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danthedeckie @lubieowoce