Tighten up eval() scope in show result subcommand

[mudpy.git] / mudpy / command.py

diff --git a/mudpy/command.py b/mudpy/command.py
index 0ffff97..601bc82 100644 (file)
--- a/mudpy/command.py
+++ b/mudpy/command.py
@@ -537,7 +537,12 @@ def show(actor, parameters):
             message = "You need to specify an expression."
         else:
             try:
-                message = repr(eval(" ".join(arguments[1:])))
+                # there is no other option than to use eval() for this, since
+                # its purpose is to evaluate arbitrary expressions, so do what
+                # we can to secure it and whitelist it for bandit analysis
+                message = repr(eval(  # nosec
+                    " ".join(arguments[1:]),
+                    {"mudpy": mudpy, "universe": actor.universe}))
             except Exception as e:
                 message = ("$(red)Your expression raised an exception...$(eol)"
                            "$(eol)$(bld)%s$(nrm)" % e)