Python eval()

PythonServer Side ProgrammingProgramming

The eval() method parses the expression passed on to this method and runs the expression within the program. In other words, it interprets a string as code inside a python program.

Syntax

The Syntax for eval is as below −

eval(expression, globals=None, locals=None)

Where

  • Expression − It is the python expression passed onto the method.

  • globals − A dictionary of available global methods and variables.

  • locals − A dictionary of available local methods and variables.

In the below example we allow the user to cerate an expression and run a python program to evaluate that expression. So it helps in create dynamic code.

Example

 Live Demo

# expression to be evaluated
user_expr = raw_input("Enter an expression in terms of variable a):")
#nter the value of variable
a = int(raw_input("Enter the value of a:"))
# evaluate the expression
result = eval(user_expr)
# printing evaluated result
print("Result = {}".format(result))

Output

Running the above code gives us the following result −

Enter an expression in terms of variable a):a*(a-3)+a^2
Enter the value of a:7
Result = 33

Security Issue With eval()

For programs involving web applications or desktop programs there is a chance that the use of such eval() method will create security vulnerabilities because the use running the program may supply expressions which are system commands to delete files or get sensitive data out of the system. As a step to prevent this we can restrict the eval() function to some selected functions or variables.

The steps to prevent these vulnerabilities are as below −

Omit both the local and global variables in the eval() method.

In this way it will be evaluated only in the current scope and not find other variables outside this scope.

Omit only the local parameters

On omitting the local variable, all the variables are scoped as global variable. Next we pass on an empty dictionary as the global variable and that allows only the built-in variables to be available even when we have imported other libraries to the program.

Example

 Live Demo

from time import *
print(eval('dir()', {}))

Running the above code gives us the following result −

['__builtins__']

Next we can also allow only certain methods from the imported library to be available to the program.

 Live Demo

from time import *
print(eval('dir()', {'sleeptime': sleep, 'Localtime': localtime}))

Output

Running the above code gives us the following result −

['Localtime', '__builtins__', 'sleeptime']

Passing Selective Functions to both Global and Local

We can also restrict the availability of function in both local and global scope by allowing none of the built ins and only a few from the locally imported libraries. In the below example we have made only the gmtime method available from time library.

Example

 Live Demo

from time import *
a = 1445945763
print(eval('gmtime(a)', {'__builtins__': None}, {'a': a, 'gmtime': gmtime}))

Output

Running the above code gives us the following result −

time.struct_time(tm_year=2015, tm_mon=10, tm_mday=27, tm_hour=11, tm_min=36, tm_sec=3, tm_wday=1, tm_yday=300, tm_isdst=0)
raja
Published on 23-Aug-2019 16:13:20
Advertisements