In order to slightly reduce risk but mostly to increase convenience
with the `show result` administrative subcommand, replace its eval()
invocation's globals with just the mudpy module namespace and the
actor's universe pointer as "universe" (this way exploratory
expressions don't need to do things relative to actor.universe all
the time). Extend the selftest to confirm these are present and that
any attempts to access other globals and locals within the
command.show() function's scope raise an exception.
Whitelist this intentional use of eval() for bandit analysis.
message = "You need to specify an expression."
else:
try:
message = "You need to specify an expression."
else:
try:
- message = repr(eval(" ".join(arguments[1:])))
+ # there is no other option than to use eval() for this, since
+ # its purpose is to evaluate arbitrary expressions, so do what
+ # we can to secure it and whitelist it for bandit analysis
+ message = repr(eval( # nosec
+ " ".join(arguments[1:]),
+ {"mudpy": mudpy, "universe": actor.universe}))
except Exception as e:
message = ("$(red)Your expression raised an exception...$(eol)"
"$(eol)$(bld)%s$(nrm)" % e)
except Exception as e:
message = ("$(red)Your expression raised an exception...$(eol)"
"$(eol)$(bld)%s$(nrm)" % e)
test_show_result = (
(2, "> ", "show result 12345*67890"),
(2, r"\r\n838102050\r\n.*> ", "show result 1/0"),
test_show_result = (
(2, "> ", "show result 12345*67890"),
(2, r"\r\n838102050\r\n.*> ", "show result 1/0"),
- (2, r"Your expression raised an exception.*division by zero.*> ", ""),
+ (2, r"Your expression raised an exception.*division by zero.*> ",
+ "show result mudpy"),
+ (2, r"<module 'mudpy' from .*> ", "show result re"),
+ (2, r"Your expression raised an exception.*name 're' is not defined.*> ",
+ "show result universe"),
+ (2, r"<mudpy.misc.Universe object at 0x.*> ", "show result actor"),
+ (2, r"Your expression raised an exception.*name 'actor' is not "
+ r"defined.*> ", ""),
projects / mudpy.git / commitdiff