"""Generic error for an unrecognized command word."""
# 90% of the time use a generic error
- if random.randrange(10):
+ # Whitelist the random.randrange() call in bandit since it's not used for
+ # security/cryptographic purposes
+ if random.randrange(10): # nosec
message = '''I'm not sure what "''' + input_data + '''" means...'''
# 10% of the time use the classic diku error
message = "You need to specify an expression."
else:
try:
- message = repr(eval(" ".join(arguments[1:])))
+ # there is no other option than to use eval() for this, since
+ # its purpose is to evaluate arbitrary expressions, so do what
+ # we can to secure it and whitelist it for bandit analysis
+ message = repr(eval( # nosec
+ " ".join(arguments[1:]),
+ {"mudpy": mudpy, "universe": actor.universe}))
except Exception as e:
message = ("$(red)Your expression raised an exception...$(eol)"
"$(eol)$(bld)%s$(nrm)" % e)