pwnlib.util.safeeval
— Safe evaluation of python code
- pwnlib.util.safeeval._get_opcodes(codeobj) [opcodes] [source]
Extract the actual opcodes as a list from a code object
>>> c = compile("[1 + 2, (1,2)]", "", "eval") >>> _get_opcodes(c) [100, 100, 103, 83]
- pwnlib.util.safeeval.const(expression) value [source]
Safe Python constant evaluation
Evaluates a string that contains an expression describing a Python constant. Strings that are not valid Python expressions or that contain other code besides the constant raise ValueError.
Examples
>>> const("10") 10 >>> const("[1,2, (3,4), {'foo':'bar'}]") [1, 2, (3, 4), {'foo': 'bar'}] >>> const("[1]+[2]") Traceback (most recent call last): ... ValueError: opcode BINARY_ADD not allowed
- pwnlib.util.safeeval.expr(expression) value [source]
Safe Python expression evaluation
Evaluates a string that contains an expression that only uses Python constants. This can be used to e.g. evaluate a numerical expression from an untrusted source.
Examples
>>> expr("1+2") 3 >>> expr("[1,2]*2") [1, 2, 1, 2] >>> expr("__import__('sys').modules") Traceback (most recent call last): ... ValueError: opcode LOAD_NAME not allowed
- pwnlib.util.safeeval.test_expr(expr, allowed_codes) codeobj [source]
Test that the expression contains only the listed opcodes. If the expression is valid and contains only allowed codes, return the compiled code object. Otherwise raise a ValueError
- pwnlib.util.safeeval.values(expression, dict) value [source]
Safe Python expression evaluation
Evaluates a string that contains an expression that only uses Python constants and values from a supplied dictionary. This can be used to e.g. evaluate e.g. an argument to a syscall.
- Note: This is potentially unsafe if e.g. the __add__ method has side
effects.
Examples
>>> values("A + 4", {'A': 6}) 10 >>> class Foo: ... def __add__(self, other): ... print("Firing the missiles") >>> values("A + 1", {'A': Foo()}) Firing the missiles >>> values("A.x", {'A': Foo()}) Traceback (most recent call last): ... ValueError: opcode LOAD_ATTR not allowed