X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=blobdiff_plain;f=mudpy%2Fcommand.py;h=d72e4e3ea039cedf68b708770d2c2d9c73ad5810;hp=0ffff978407e74298886cf762e1a51b0a7e00952;hb=472e1de5356e4df0f099fe6a17ff6dab585314f3;hpb=bf6ed46991ffdc587d4e70362a4bd20d6f84fcee

diff --git a/mudpy/command.py b/mudpy/command.py
index 0ffff97..d72e4e3 100644
--- a/mudpy/command.py
+++ b/mudpy/command.py
@@ -111,7 +111,9 @@ def error(actor, input_data):
     """Generic error for an unrecognized command word."""
 
     # 90% of the time use a generic error
-    if random.randrange(10):
+    # Whitelist the random.randrange() call in bandit since it's not used for
+    # security/cryptographic purposes
+    if random.randrange(10):  # nosec
         message = '''I'm not sure what "''' + input_data + '''" means...'''
 
     # 10% of the time use the classic diku error
@@ -537,7 +539,12 @@ def show(actor, parameters):
             message = "You need to specify an expression."
         else:
             try:
-                message = repr(eval(" ".join(arguments[1:])))
+                # there is no other option than to use eval() for this, since
+                # its purpose is to evaluate arbitrary expressions, so do what
+                # we can to secure it and whitelist it for bandit analysis
+                message = repr(eval(  # nosec
+                    " ".join(arguments[1:]),
+                    {"mudpy": mudpy, "universe": actor.universe}))
             except Exception as e:
                 message = ("$(red)Your expression raised an exception...$(eol)"
                            "$(eol)$(bld)%s$(nrm)" % e)