Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: UAVCAN UAVCAN_Subscriber
EvalPseudoSandbox Class Reference
Public Member Functions | |
| def | register |
| def | compile |
| def | eval |
| def | f_import |
| def | f_exists |
| def | f_default |
| def | f_setvar |
| def | f_escape |
Detailed Description
An eval-pseudo-sandbox.
The pseudo-sandbox restricts the available functions/objects, so the
code can only access:
- some of the builtin Python-functions, which are considered "safe"
(see safe_builtins)
- some additional functions (exists(), default(), setvar(), escape())
- the passed objects incl. their methods.
Additionally, names beginning with "_" are forbidden.
This is to prevent things like '0 .__class__', with which you could
easily break out of a "sandbox".
Be careful to only pass "safe" objects/functions to the template,
because any unsafe function/method could break the sandbox!
For maximum security, restrict the access to as few objects/functions
as possible!
:Warning:
Note that this is no real sandbox! (And although I don't know any
way to break out of the sandbox without passing-in an unsafe object,
I cannot guarantee that there is no such way. So use with care.)
Take care if you want to use it for untrusted code!!
Definition at line 772 of file pyratemp.py.
Member Function Documentation
| def compile | ( | self, | |
| expr | |||
| ) |
Compile a Python-eval-expression.
- Use a compile-cache.
- Raise a `NameError` if `expr` contains a name beginning with ``_``.
:Returns: the compiled `expr`
:Exceptions:
- `SyntaxError`: for compile-errors
- `NameError`: if expr contains a name beginning with ``_``
Definition at line 857 of file pyratemp.py.
| def eval | ( | self, | |
| expr, | |||
| locals | |||
| ) |
Eval a Python-eval-expression. Sets ``self.locals_ptr`` to ``locales`` and compiles the code before evaluating.
Definition at line 876 of file pyratemp.py.
| def f_default | ( | self, | |
| expr, | |||
default = None |
|||
| ) |
``default()`` for the sandboxed code.
Try to evaluate an expression and return the result or a
fallback-/default-value; the `default`-value is used
if `expr` does not exist/is invalid/results in None.
This is very useful for optional data.
:Parameter:
- expr: eval-expression
- default: fallback-falue if eval(expr) fails or is None.
:Returns:
the eval-result or the "fallback"-value.
:Note: the eval-expression has to be quoted! (like in eval)
:Example: see module-docstring
Definition at line 942 of file pyratemp.py.
| def f_escape | ( | self, | |
| s, | |||
format = "HTML" |
|||
| ) |
``escape()`` for the sandboxed code.
Definition at line 979 of file pyratemp.py.
| def f_exists | ( | self, | |
| varname | |||
| ) |
``exists()`` for the sandboxed code.
Test if the variable `varname` exists in the current locals-namespace.
This only works for single variable names. If you want to test
complicated expressions, use i.e. `default`.
(i.e. `default("expr",False)`)
:Note: the variable-name has to be quoted! (like in eval)
:Example: see module-docstring
Definition at line 928 of file pyratemp.py.
| def f_import | ( | self, | |
| name, | |||
| _, | |||
| __ | |||
| ) |
``import``/``__import__()`` for the sandboxed code.
Since "import" is insecure, the PseudoSandbox does not allow to
import other modules. But since some functions need to import
other modules (e.g. "datetime.datetime.strftime" imports "time"),
this function replaces the builtin "import" and allows to use
modules which are already accessible by the sandboxed code.
:Note:
- This probably only works for rather simple imports.
- For security, it may be better to avoid such (complex) modules
which import other modules. (e.g. use time.localtime and
time.strftime instead of datetime.datetime.strftime,
or write a small wrapper.)
:Example:
>>> from datetime import datetime
>>> import pyratemp
>>> t = pyratemp.Template('@!mytime.strftime("%H:%M:%S")!@')
# >>> print(t(mytime=datetime.now()))
# Traceback (most recent call last):
# ...
# ImportError: import not allowed in pseudo-sandbox; try to import 'time' yourself and pass it to the sandbox/template
>>> import time
>>> print(t(mytime=datetime.strptime("13:40:54", "%H:%M:%S"), time=time))
13:40:54
# >>> print(t(mytime=datetime.now(), time=time))
# 13:40:54
Definition at line 888 of file pyratemp.py.
| def f_setvar | ( | self, | |
| name, | |||
| expr | |||
| ) |
``setvar()`` for the sandboxed code. Set a variable. :Example: see module-docstring
Definition at line 969 of file pyratemp.py.
| def register | ( | self, | |
| name, | |||
| obj | |||
| ) |
Add an object to the "allowed eval-globals". Mainly useful to add user-defined functions to the pseudo-sandbox.
Definition at line 850 of file pyratemp.py.
Generated on Tue Jul 12 2022 17:17:37 by
1.7.2