added validation of expressions to prevent malicious code execution via eval()

wnienhaus · wnienhaus · commit dd3a04bac6f4 · 2021-08-06T17:43:40.000+03:00
At the point when eval is called, all symbols should have already been resolved
to their values. That means we only need to allow for numeric characters along
with arithmetic and bitwise operators, round brackets and whitespace. The
character 'x' is also accepted to allow for hex numbers such as 0x123. If any
other character is encountered the expression is deemed invalid.

This change also removes the try/except around the eval. As all symbols have
been resolved, the only thing that can be left is a valid expression. If it
does not evaluate, an exception *should* be raised rather than being silently
ignored (and hoping for an exception down the line).
diff --git a/esp32_ulp/opcodes.py b/esp32_ulp/opcodes.py
@@ -6,7 +6,7 @@
 from uctypes import struct, addressof, LITTLE_ENDIAN, UINT32, BFUINT32, BF_POS, BF_LEN
 
 from .soc import *
-from .util import split_tokens
+from .util import split_tokens, validate_expression
 
 # XXX dirty hack: use a global for the symbol table
 symbols = None
@@ -277,11 +277,9 @@ def eval_arg(arg):
         else:
             parts.append(token)
     parts = "".join(parts)
-    try:
-        parts = str(eval(parts))
-    except:
-        pass
-    return parts
+    if not validate_expression(parts):
+        raise ValueError('Unsupported expression: %s' % parts)
+    return str(eval(parts))
 
 
 def arg_qualify(arg):
diff --git a/esp32_ulp/util.py b/esp32_ulp/util.py
@@ -52,3 +52,12 @@ def file_exists(filename):
     except:
         pass
     return False
+
+
+def validate_expression(param):
+    for token in split_tokens(param):
+        for c in token:
+            if ('0' <= c <= '9') or c in ' \t+-*/%()<>&|^!~x':
+                continue
+            return False
+    return True
diff --git a/tests/util.py b/tests/util.py
@@ -1,5 +1,5 @@
 import os
-from esp32_ulp.util import split_tokens, file_exists
+from esp32_ulp.util import split_tokens, file_exists, validate_expression
 
 tests = []
 
@@ -31,6 +31,27 @@ def test_split_tokens():
     assert split_tokens("#test") == ['#', 'test']
 
 
+@test
+def test_validate_expression():
+    assert validate_expression('') is True
+    assert validate_expression('1') is True
+    assert validate_expression('1+1') is True
+    assert validate_expression('(1+1)') is True
+    assert validate_expression('(1+1)*2') is True
+    assert validate_expression('(1 + 1)') is True
+    assert validate_expression('10 % 2') is True
+    assert validate_expression('0x100 << 2') is True
+    assert validate_expression('0x100~1') is True
+    assert validate_expression('!1^2*3+4/5&6|7') is True
+    assert validate_expression('(((((1+1) * 2') is True  # valid characters, even if expression is not valid
+
+    assert validate_expression(':') is False
+    assert validate_expression('_') is False
+    assert validate_expression('=') is False
+    assert validate_expression('.') is False
+    assert validate_expression('0b1010') is False  # binutils does not support encoding binary numbers like this
+
+
 @test
 def test_file_exists():
     testfile = '.testfile'
