Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Table.eval() #135

Open
iguinn opened this issue Feb 22, 2025 · 0 comments
Open

Secure Table.eval() #135

iguinn opened this issue Feb 22, 2025 · 0 comments
Labels
types LGDO types

Comments

@iguinn
Copy link
Contributor

iguinn commented Feb 22, 2025

Right now, Table.eval() uses python's eval function, which is considered unsecure because it can execute arbitrary python code. This issue is to discuss how we could secure it. My suggestion is that we should limit eval to use only recognized functions and variables from the Table, and maybe also some explicit provided variables by the user.

One suggestion is to compile the string into ast (https://docs.python.org/3/library/ast.html), and then use that to either verify that the code doesn't do anything we consider unsafe. This is a python standard library feature that is extremely flexible (meaning we could extend it as needed). It's also what was used for dspeed (although this feature shouldn't have to be that complicated). We could even consider modifying the code (e.g., we could replace all and any with ak.all and ak.any for ease of use).
@gipert gipert added enhancement New feature or request types LGDO types and removed enhancement New feature or request labels Feb 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
types LGDO types
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iguinn @gipert