X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=blobdiff_plain;f=mudpy%2Fcommand.py;h=601bc82c3ca7d2e3704e1465ef795c31478e0100;hp=0ffff978407e74298886cf762e1a51b0a7e00952;hb=13ad9d33469c0ad12d0de34744cb30cc00bdba32;hpb=64dcfbed1d763781934f7d968318bf15a12d6844

diff --git a/mudpy/command.py b/mudpy/command.py
index 0ffff97..601bc82 100644
--- a/mudpy/command.py
+++ b/mudpy/command.py
@@ -537,7 +537,12 @@ def show(actor, parameters):
             message = "You need to specify an expression."
         else:
             try:
-                message = repr(eval(" ".join(arguments[1:])))
+                # there is no other option than to use eval() for this, since
+                # its purpose is to evaluate arbitrary expressions, so do what
+                # we can to secure it and whitelist it for bandit analysis
+                message = repr(eval(  # nosec
+                    " ".join(arguments[1:]),
+                    {"mudpy": mudpy, "universe": actor.universe}))
             except Exception as e:
                 message = ("$(red)Your expression raised an exception...$(eol)"
                            "$(eol)$(bld)%s$(nrm)" % e)