From: Jeremy Stanley <fungi@yuggoth.org>
Date: Tue, 24 Dec 2019 21:33:37 +0000 (+0000)
Subject: Tighten up eval() scope in show result subcommand
X-Git-Tag: 0.1.0~22
X-Git-Url: https://mudpy.org/gitweb?p=mudpy.git;a=commitdiff_plain;h=13ad9d33469c0ad12d0de34744cb30cc00bdba32

Tighten up eval() scope in show result subcommand

In order to slightly reduce risk but mostly to increase convenience
with the `show result` administrative subcommand, replace its eval()
invocation's globals with just the mudpy module namespace and the
actor's universe pointer as "universe" (this way exploratory
expressions don't need to do things relative to actor.universe all
the time). Extend the selftest to confirm these are present and that
any attempts to access other globals and locals within the
command.show() function's scope raise an exception.

Whitelist this intentional use of eval() for bandit analysis.
---

diff --git a/mudpy/command.py b/mudpy/command.py
index 0ffff97..601bc82 100644
--- a/mudpy/command.py
+++ b/mudpy/command.py
@@ -537,7 +537,12 @@ def show(actor, parameters):
             message = "You need to specify an expression."
         else:
             try:
-                message = repr(eval(" ".join(arguments[1:])))
+                # there is no other option than to use eval() for this, since
+                # its purpose is to evaluate arbitrary expressions, so do what
+                # we can to secure it and whitelist it for bandit analysis
+                message = repr(eval(  # nosec
+                    " ".join(arguments[1:]),
+                    {"mudpy": mudpy, "universe": actor.universe}))
             except Exception as e:
                 message = ("$(red)Your expression raised an exception...$(eol)"
                            "$(eol)$(bld)%s$(nrm)" % e)
diff --git a/mudpy/tests/selftest.py b/mudpy/tests/selftest.py
index 512ead1..9c4def3 100644
--- a/mudpy/tests/selftest.py
+++ b/mudpy/tests/selftest.py
@@ -295,7 +295,14 @@ test_show_element = (
 test_show_result = (
     (2, "> ", "show result 12345*67890"),
     (2, r"\r\n838102050\r\n.*> ", "show result 1/0"),
-    (2, r"Your expression raised an exception.*division by zero.*> ", ""),
+    (2, r"Your expression raised an exception.*division by zero.*> ",
+     "show result mudpy"),
+    (2, r"<module 'mudpy' from .*> ", "show result re"),
+    (2, r"Your expression raised an exception.*name 're' is not defined.*> ",
+     "show result universe"),
+    (2, r"<mudpy.misc.Universe object at 0x.*> ", "show result actor"),
+    (2, r"Your expression raised an exception.*name 'actor' is not "
+        r"defined.*> ", ""),
 )
 
 test_show_log = (