Add strategy for safely evaluating builtins

thomasballinger · thomasballinger · commit fbf72d8c5a32 · 2015-12-14T17:39:19.000-05:00
diff --git a/bpython/autocomplete.py b/bpython/autocomplete.py
@@ -43,6 +43,7 @@
 from bpython.line import LinePart
 from bpython._py3compat import py3, try_decode
 from bpython.lazyre import LazyReCompile
+from bpython.simpleeval import safe_eval, EvaluationError
 
 if not py3:
     from types import InstanceType, ClassType
@@ -648,20 +649,6 @@ def get_completer_bpython(cursor_offset, line, **kwargs):
                          cursor_offset, line, **kwargs)
 
 
-class EvaluationError(Exception):
-    """Raised if an exception occurred in safe_eval."""
-
-
-def safe_eval(expr, namespace):
-    """Not all that safe, just catches some errors"""
-    try:
-        return eval(expr, namespace)
-    except (NameError, AttributeError, SyntaxError):
-        # If debugging safe_eval, raise this!
-        # raise
-        raise EvaluationError
-
-
 def _callable_postfix(value, word):
     """rlcompleter's _callable_postfix done right."""
     with inspection.AttrCleaner(value):
diff --git a/bpython/simpleeval.py b/bpython/simpleeval.py
@@ -0,0 +1,83 @@
+# encoding: utf-8
+"""simple evaluation of side-effect free code
+
+In order to provide fancy completion, some code can be executed safely.
+
+"""
+
+from ast import *
+from six import string_types
+
+class EvaluationError(Exception):
+    """Raised if an exception occurred in safe_eval."""
+
+
+def safe_eval(expr, namespace):
+    """Not all that safe, just catches some errors"""
+    try:
+        return eval(expr, namespace)
+    except (NameError, AttributeError, SyntaxError):
+        # If debugging safe_eval, raise this!
+        # raise
+        raise EvaluationError
+
+def simple_eval(node_or_string, namespace={}):
+    """
+    Safely evaluate an expression node or a string containing a Python
+    expression.  The string or node provided may only consist of:
+    * the following Python literal structures: strings, numbers, tuples,
+        lists, dicts, booleans, and None.
+    * variable names causing lookups in the passed in namespace or builtins
+    * getitem calls using the [] syntax on objects of the types above
+    * getitem calls on subclasses of the above types if they do not override
+        the __getitem__ method and do not override __getattr__ or __getattribute__
+        (or maybe we'll try to clean those up?)
+
+    The optional namespace dict-like ought not to cause side effects on lookup
+    """
+    if isinstance(node_or_string, string_types):
+        node_or_string = parse(node_or_string, mode='eval')
+    if isinstance(node_or_string, Expression):
+        node_or_string = node_or_string.body
+    def _convert(node):
+        if isinstance(node, Str):
+            return node.s
+        elif isinstance(node, Num):
+            return node.n
+        elif isinstance(node, Tuple):
+            return tuple(map(_convert, node.elts))
+        elif isinstance(node, List):
+            return list(map(_convert, node.elts))
+        elif isinstance(node, Dict):
+            return dict((_convert(k), _convert(v)) for k, v
+                        in zip(node.keys, node.values))
+        elif isinstance(node, Name):
+            try:
+                return namespace[node.id]
+            except KeyError:
+                return __builtins__[node.id]
+        elif isinstance(node, BinOp) and \
+             isinstance(node.op, (Add, Sub)) and \
+             isinstance(node.right, Num) and \
+             isinstance(node.right.n, complex) and \
+             isinstance(node.left, Num) and \
+             isinstance(node.left.n, (int, long, float)):
+            left = node.left.n
+            right = node.right.n
+            if isinstance(node.op, Add):
+                return left + right
+            else:
+                return left - right
+        elif isinstance(node, Subscript) and \
+             isinstance(node.slice, Index):
+            obj = _convert(node.value)
+            index = _convert(node.slice.value)
+            return safe_getitem(obj, index)
+
+        raise ValueError('malformed string')
+    return _convert(node_or_string)
+
+def safe_getitem(obj, index):
+    if type(obj) in (list, tuple, dict, bytes) + string_types:
+        return obj[index]
+    raise ValueError('unsafe to lookup on object of type %s' % (type(obj), ))
diff --git a/bpython/test/test_simpleeval.py b/bpython/test/test_simpleeval.py
@@ -0,0 +1,71 @@
+# -*- coding: utf-8 -*-
+
+import ast
+
+from bpython.simpleeval import simple_eval
+from bpython.test import unittest
+
+
+class TestInspection(unittest.TestCase):
+    def assertMatchesStdlib(self, expr):
+        self.assertEqual(ast.literal_eval(expr), simple_eval(expr))
+
+    def test_matches_stdlib(self):
+        """Should match the stdlib literal_eval if no names or indexing"""
+        self.assertMatchesStdlib("[1]")
+        self.assertMatchesStdlib("{(1,): [2,3,{}]}")
+
+    def test_indexing(self):
+        """Literals can be indexed into"""
+        self.assertEqual(simple_eval('[1,2][0]'), 1)
+        self.assertEqual(simple_eval('a', {'a':1}), 1)
+
+    def test_name_lookup(self):
+        """Names can be lookup up in a namespace"""
+        self.assertEqual(simple_eval('a', {'a':1}), 1)
+        self.assertEqual(simple_eval('map'), map)
+        self.assertEqual(simple_eval('a[b]', {'a':{'c':1}, 'b':'c'}), 1)
+
+    def test_allow_name_lookup(self):
+        """Names can be lookup up in a namespace"""
+        self.assertEqual(simple_eval('a', {'a':1}), 1)
+
+    def test_lookup_on_suspicious_types(self):
+        class FakeDict(object):
+            pass
+
+        with self.assertRaises(ValueError):
+            simple_eval('a[1]', {'a': FakeDict()})
+
+        class TrickyDict(dict):
+            def __getitem__(self, index):
+                self.fail("doing key lookup isn't safe")
+
+        with self.assertRaises(ValueError):
+            simple_eval('a[1]', {'a': TrickyDict()})
+
+        class SchrodingersDict(dict):
+            def __getattribute__(inner_self, attr):
+                self.fail("doing attribute lookup might have side effects")
+
+        with self.assertRaises(ValueError):
+            simple_eval('a[1]', {'a': SchrodingersDict()})
+
+        class SchrodingersCatsDict(dict):
+            def __getattr__(inner_self, attr):
+                self.fail("doing attribute lookup might have side effects")
+
+        with self.assertRaises(ValueError):
+            simple_eval('a[1]', {'a': SchrodingersDict()})
+
+    def test_function_calls_raise(self):
+        with self.assertRaises(ValueError):
+            simple_eval('1()')
+
+    def test_nonexistant_names_raise(self):
+        with self.assertRaises(KeyError):
+            simple_eval('a')
+
+
+if __name__ == '__main__':
+    unittest.main()
