Friday Fun with EVAL()

2 visualizaciones (últimos 30 días)
Sean de Wolski
Sean de Wolski el 12 de Abr. de 2013
I think I may have come across the first time in my >5 years of using MATLAB that I have a case where the best possible answer is to use eval().
Here's the scenario:
I'm working on a test that requires the user to input a string in an edit box. This string needs to create a very specific anonymous function, e.g.:
Create an anonymous function, f, that takes two inputs x,y and runs x^2+y^2+2
Once the anonymous function is created, I can test the correctness using a comparison with the output from functions(f).
How I plan to safe guard against it breaking everything else:
  • eval(str) will be inside of a try/catch in case they error.
  • I will "pre-regexprep" the string to remove any case where more than two letters are consecutive. This should stop most malicious behavior.
  • I will eval(str) inside of a subfunction where no variables being destroyed or created will hurt me.
  • I will verify that f exists and that it's a function handle. If it does not exist, I'll pass back a wrong answer so it fails.
Ps. when I say malicious, I just mean someone having fun with this :)
The alternatives I've thought of:
  • Use regexp to verify that everything in the string is in the right order. Shortcoming this does not scale well and there are cases where answer is correct but my regular expression misses it such as with unnecessary extra parentheses.
  • Write it to a MATLAB file. Run the file. This has no real advantages that I can see...
  3 comentarios
Walter Roberson
Walter Roberson el 12 de Abr. de 2013
Not preregexp -- either regexprep() or regexptranslate()
Sean de Wolski
Sean de Wolski el 12 de Abr. de 2013
@Cedric, yeah I can forget about it by Monday if I leave it working :)
@Walter, I meant pre-regexp as in I would use regexprep before eval()ing it.

Iniciar sesión para comentar.

Respuestas (3)

Friedrich
Friedrich el 13 de Abr. de 2013
Editada: Friedrich el 13 de Abr. de 2013
Hi Sean,
Why using "eval" and not "inline" on the post processed user input string?
  3 comentarios
Sean de Wolski
Sean de Wolski el 15 de Abr. de 2013
And I would have to pre-regexprep it to remove the f =
inline('f=@(x,y)x.^2+y.^2+2')
That is a simpler expression, but in Cleve's words, avoid inline too!
Friedrich
Friedrich el 15 de Abr. de 2013
Editada: Friedrich el 15 de Abr. de 2013
As long you call eval only once it should be fine with eval. In addition the 13a doc states: "inline will be removed in a future release. Use Anonymous Functions instead."
Which then will lead to eval in order to create dynamically the function handle anyway.

Iniciar sesión para comentar.


Daniel Shub
Daniel Shub el 18 de Abr. de 2013
What about str2func?

Jan
Jan el 18 de Abr. de 2013
Editada: Jan el 18 de Abr. de 2013
Make the expression an string and send it by urlwrite to a dedicated problem at Cody. Here Matlab runs in a virtual maschine which is refreshed automatically. They run it under Ubuntu, such that you do not have care about the security leaks in Windows, which would allow to get admin privilegs. Unfortunately Ubuntu is not a tank also, and an evil user could try to embed code to start sendmail.
This would catch evilness of the category 1 to 3:
  • typos
  • unwanted calls of toolbox functions
  • calls of operating system functions like deleting files
This would not catch evilness of category 4:
  • psychotic script kids, who really plan to use your program for evil and criminal activities.
My conclusion: It is your intention to evaluate code typed in by the user. Then eval is fine, because this is a dangerous command for a dangerous purpose. If you add 100 REGEXP restrictions, the user simply opens a shell and sends the evil commands directly to the operating system. If the user has physical access to the computer, 100% bullet proof systems are impossible. If you want offer your GUI through a web interface for public access, check your log-files very frequently.

Categorías

Más información sobre Programming en Help Center y File Exchange.

Etiquetas

Productos

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by