Use safe_eval vs eval.

This commit is contained in:
Michael DeHaan 2013-04-10 16:17:24 -04:00
parent fecfbf9226
commit a83e10d77d
2 changed files with 30 additions and 2 deletions

View file

@ -15,6 +15,8 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>. # along with Ansible. If not, see <http://www.gnu.org/licenses/>.
from ansible.utils import safe_eval
def flatten(terms): def flatten(terms):
ret = [] ret = []
for term in terms: for term in terms:
@ -34,7 +36,7 @@ class LookupModule(object):
if '{' or '[' in terms: if '{' or '[' in terms:
# Jinja2-ified list needs to be converted back to a real type # Jinja2-ified list needs to be converted back to a real type
# TODO: something a bit less heavy than eval # TODO: something a bit less heavy than eval
terms = eval(terms) terms = safe_eval(terms)
terms = [ terms ] terms = [ terms ]
return flatten(terms) return flatten(terms)

View file

@ -162,7 +162,7 @@ def check_conditional(conditional):
try: try:
conditional = conditional.replace("\n", "\\n") conditional = conditional.replace("\n", "\\n")
result = eval(conditional) result = safe_eval(conditional)
if result not in [ True, False ]: if result not in [ True, False ]:
raise errors.AnsibleError("Conditional expression must evaluate to True or False: %s" % conditional) raise errors.AnsibleError("Conditional expression must evaluate to True or False: %s" % conditional)
return result return result
@ -684,3 +684,29 @@ def is_list_of_strings(items):
return False return False
return True return True
def safe_eval(str):
'''
this is intended for allowing things like:
with_items: {{ a_list_variable }}
where Jinja2 would return a string
but we do not want to allow it to call functions (outside of Jinja2, where
the env is constrained)
'''
# FIXME: is there a more native way to do this?
# do not allow method calls
if re.search(r'\w\.\w+\(', str):
print "C1"
return str
# do not allow imports
if re.search(r'import \w+', str):
print "C2"
return str
return eval(str)