A layer of protection for python's eval

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ZackeryRSmith from gravatar.com ZackeryRSmith

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 (GPLv3) (GNU GPL-3.0)
  • Author: Zackery Smith
  • Requires: Python >=3.0.0
Classifiers
Report project as malware

Project description


Cval logo

Cval

A layer of protection for eval
View Examples · Report Bug

Installation

I know many people don't care about the motives behind a program, so I have put the installation at the top.

Unix and Mac

python3 -m pip install cval

Windows

py -m pip install cval

About

A decently simple script that uses regular expression to add a layer of protection to eval. Why? Well I keep seeing "eval really is dangerous" and "eval is a bad practice". All these statements have some validity to them, and there is almost always a better way to do what you want to acomplish. Cval tackles the "eval really is dangerous" mindset, if you must use eval for a public project use cval.

Exploiting

I encourage you to break my script, report any bugs or vulnerabilities here, thanks!

Examples

These examples are focused purely on security rather then real world practical examples.

Disable module importing
# :NOTE: modules is False by default, and the reason we allow function calls
#        is to see the error given when trying to import a module.
cval('__import__("os")', calls=True, modules=False)
Output:
cval.IllegalSource: Cval panicked due to an attempted illegal import of the module "os"
Allow certain modules
cval('__import__("os")', allowed_modules=["os"], allowed_calls=["import"])
Disable function calls
cval('print("Hello, World!")', calls=False)
Output:
cval.IllegalSource: Cval panicked due to an illegal function call in source! Attemped call to "print"
Allow certain function calls
cval('print("Hello, World!")', allowed_calls=["print"])
Block access to global variables
foo = "bar"

def foobar():
    # :NOTE: `globals` doesn't need to be passed in this case
    #        this is only done here for clarity 
    cval('print(foo)', globals=globals(), allowed_calls=["print"])  # Will not be able to access "foo"
foobar()
Output:
cval.SuspiciousSource: Cval found global variable "foo" in the source, killing for safety.
Allow some access to global variables
foo = "bar"

def foobar():
    cval('print(foo)', globals=globals(), allowed_global_vars=["foo"], allowed_calls=["print"])
foobar()
Output:
bar
Allow access to all global variables
foo = "bar"
bar = "foo"

def foobar():
    cval('print(bar+foo")', globals=globals(), allowed_global_vars=["*"], allowed_calls=["print"])
foobar()
Output:
foobar
Block access local variables
def fizzbuzz():
    fizz = "buzz"
    cval('print(fizz)', locals=locals())  # Will not be able to access "fizz"
fizzbuzz()
Output:
cval.SuspiciousSource: Cval found local variable "fizz" in the source, killing for safety.
Allow some access to local variables
def fizzbuzz():
    fizz = "buzz"
    cval('print(fizz)', locals=locals(), allowed_local_vars=["fizz"], allowed_calls=["print"])
fizzbuzz()
Output:
buzz
Allow access to all local variables
def fizzbuzz():
    fizz = "buzz"
    buzz = "fizz"
    cval('print(buzz+fizz)', locals=locals(), allowed_local_vars=["*"], allowed_calls=["print"])
fizzbuzz()
Output:
fizzbuzz

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ZackeryRSmith from gravatar.com ZackeryRSmith

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 (GPLv3) (GNU GPL-3.0)
  • Author: Zackery Smith
  • Requires: Python >=3.0.0
Classifiers

Release history Release notifications | RSS feed

This version

2.0.0

1.0.1

1.0.0

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cval-2.0.0.tar.gz (17.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cval-2.0.0-py2.py3-none-any.whl (16.6 kB view details)

Uploaded Python 2Python 3

File details

Details for the file cval-2.0.0.tar.gz.

File metadata

  • Download URL: cval-2.0.0.tar.gz
  • Upload date:
  • Size: 17.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 colorama/0.4.4 importlib-metadata/4.6.4 keyring/23.5.0 pkginfo/1.8.2 readme-renderer/34.0 requests-toolbelt/0.9.1 requests/2.27.1 rfc3986/1.5.0 tqdm/4.57.0 urllib3/1.26.14 CPython/3.10.6

File hashes

Hashes for cval-2.0.0.tar.gz
Algorithm Hash digest
SHA256 cbdda62dfbbac49fb841a66b9912794e1ff68d01db7200b00b17d1c5df0b45e1
MD5 9eea87765da03fb58b8b9437ff882c00
BLAKE2b-256 fd04157145fa87b7662db91a8cfa1ea88d5828f615882d1e8b4e5a78c6ea54d1

See more details on using hashes here.

File details

Details for the file cval-2.0.0-py2.py3-none-any.whl.

File metadata

  • Download URL: cval-2.0.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 16.6 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 colorama/0.4.4 importlib-metadata/4.6.4 keyring/23.5.0 pkginfo/1.8.2 readme-renderer/34.0 requests-toolbelt/0.9.1 requests/2.27.1 rfc3986/1.5.0 tqdm/4.57.0 urllib3/1.26.14 CPython/3.10.6

File hashes

Hashes for cval-2.0.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 fdcd86b625883129a7d5ff3223865a5d7422a6ce3ed0bb3e32785c961a22c321
MD5 4d377c840ea2d309af69c5861ff9977c
BLAKE2b-256 664a199f8f2e638d25e06f5bf982a81f16fc122504ce6e7380946c97c7668506

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page