[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sandboxing eval() (was: Calculator)

On 2020-01-19, musbur at <musbur at> wrote:
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?
> I have an application that loads calculation recipes (a few lines of
> variable assignments and arithmetic) from a database. 
> exec(string, globals, locals)
> with locals containing the input variables, and globals has a
> __builtin__ object with a few math functions. It works, but is it safe?

No, not even slightly. If you want to do this you need to write your
own interpreter that runs your own domain-specific language.