Safe eval of insecure strings containing Python data structures?

[Warren DeLano]

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:

# For example, given a "config.txt" such as:

{
'my_atom' : 1.20,
'my_dict' : { 2:50 , 'hi':'mom'},
'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]
}

# I would like to do something like this:

empty_space = {'__builtins__' : {}}

try:
config = eval(open("config.txt").read(), empty_space, empty_space)
except:
config = {}

print config

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!

Cheers,
Warren

 

[George Sakkis]

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:  

# For example, given a "config.txt" such as:

{
  'my_atom' : 1.20,
  'my_dict' : { 2:50 , 'hi':'mom'},
  'my_list' : [ (1,2,3), [4.5,6.9], 'foo', 0 ]

}

# I would like to do something like this:

empty_space = {'__builtins__' : {}}

try:
    config = eval(open("config.txt").read(), empty_space, empty_space)
except:
    config = {}

print config

# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!

This topic comes up every other month or so in this list, so if you
had taken a minute to search for "python safe eval" or a variation
thereof in your favorite search engine, you'd get more than enough
pointers.

George

 

[Aaron \Castironpi\ Brady]

I would like to parse arbitrary insecure text string containing nested
Python data structures in eval-compatible form:  
....
# But I know for certain that the above approach is NOT secure since
object attributes can still be accessed...

So is there an equally convenient yet secure alternative available for
parsing strings containing Python data structure definitions?

Thanks in advance for any pointers!

Cheers,
Warren

As mentioned, I don't know if everything has been tried or how secure
what attempts have been. I haven't seen this one:

Python 2.6 (r26:66721, Oct 2 2008, 11:35:03) [MSC v.1500 32 bit
(Intel)] on win
32
Type "help", "copyright", "credits" or "license" for more information.

del __builtins__
a= [ x for x in (1).__class__.__bases__[0].__subclasses__() if x.__name__== 'file' ][ 0 ]
a

a('abc.txt','w')

Traceback (most recent call last):
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: __import__ not found

So, at least one of the newsgroup favorites is gone. Take a shot
though! Maybe a variant would be sufficient. No warranty.

 

[franck]

I would like to parse arbitrary insecure text string containing nested

Python data structures in eval-compatible form:  

Python 2.6 has ast.literal_eval to do exactly this. It handle lists,
tuples, dict, numbers, strings, bool and None, with arbitrary nesting.

Cheers,
Franck