Evaln't: How to replace `eval` in your code
Why you should never use
Some of you out there will know the dangers of the
eval function, and some of you will not.
eval is (in)famously used in calculators and the such.
print("=== Magic math == ") print(eval(input("Math here: ")))
You can then, for example, get a bash shell:
I'm going to go over the three ways to not use eval.
- Write a parser
#1: Write a parser.
This one is the hardest, but if you are using an embedded language, this one is the best option.
For more info, see CSharpIsGud's tutorial
#2: Use ast.literal_eval()
This one is used when you input a value and want to parse it into data.
This is not really used much, but here's an example:
import ast di = input("Enter a list: ") li = ast.literal_eval(di) print(li, type(li))
You can always cast to the type you want, but when the data type can vary...
#3: Use asteval.
This one is the best.
Asteval is a third-party package that implements Python, removing the stblibs and
Let's rework our math calculator above:
from asteval import Interpreter eval = Interpreter() print("=== More Magic Math ===") print(eval(input("More Math: ")))
If I try the same exploit as above, we get this:
And if I try another exploit:
As you can see, the asteval module is great for evaluating math, and it also protects you from code injection.
Well, that's all on the topic of