The Security threat of the “eval()” function in programming languages.
“Evaluate”, what does it refer to in the real world?
According to Oxford Languages, ‘evaluate’ is “form an idea of the amount, number, or value of.”
Then what does ‘evaluate’ in programming refer to?
Not in all, but in some programming languages there’s a predefined function called “ eval() ”. It can evaluate a string as though it were an expression in the language and return a result.
eval() in Python
eval() is one of the few built-in functions that does not need to be imported from a module or the standard library.
x = 'print(55)'
eval(x)The eval() function evaluates the specified expression, if the expression is a legal Python statement, it will be executed. (W3Schools.com, n.d.)
Syntax :
eval(expression, globals, locals)Parameters :
expression -> A String, that will be evaluated as Python code
globals -> Optional. A dictionary containing global parameters.
locals -> Optional. A dictionary containing local parameters.
Since eval() is such a powerful function, we should remember the number one lesson worth taking from Spider-man.: with great power comes great responsibility.
How eval can be a threat to your code?
- Once we start using eval(), the behavior of the program becomes much less predictable.
2. Using eval with data from an untrusted source may introduce security vulnerabilities. For instance, refer to the Python code below.
person_response = eval(myinfo_log.user_response)
Since we get data from a user input, this code is insecure. An attacker can provide a data string like “session.update(authenticated=True)” as data, which would update the session dictionary to set an authenticated key to be True. To remedy this, all data that will be used with eval It must be escaped or run without access to potentially harmful functions.
‘__import__(‘subprocess’).getoutput(‘rm -rf /’)’
This code is to delete the entire filesystem or use a utility like netcat to open a backdoor into the machine.
Click here to see an example of a usage of eval() in Python from Udacity. Although using eval() is discouraged, it’s an important function to understand.
But we have options !!
Instead of using eval(), it might be safer to use methods in Python like JSON.loads or YAML.safe_load, which can deserialize the string into a data structure more safely than eval().
Not only in Python but in some other programming languages like javascript & ruby also we have alternatives for eval().
In practice, the clearest recommendation is that one should never, ever use eval(). By sticking with this recommendation, you ensure that you are sticking to coding best practices.
But in cases where it must be used, validating input to the function and using restricted globals and locals can make it more tolerable.
References :
- (No date) Python’s Eval(): The most powerful function you should never use. | udacity. Available at: https://www.udacity.com/blog/2023/03/pythons-eval-the-most-powerful-function-you-should-never-use.html (Accessed: 04 October 2024).