May 4, 2024
NEWS

Code Smell 245 – exec() and eval()

Claudio Ctin04 mins
Code Smell 245 – exec() and eval()

A great door for hackers

TL;DR: Don’t use metaprogramming. It is not that cool

Problems

Security

Limited Control

Solutions

Use direct calls

Wrap the execution in a primitive and controlled command

Sanitize it

Context

Developers employ the eval() and exec() functions to evaluate arbitrary expressions from strings.

They can be a powerful tool in certain contexts but come with several risks and problems, especially when used with untrusted input or where the code’s behavior is not fully controlled or understood.

Sample Code

Wrong

def calculate(mathOperand, firstArgument, secondArgument):
return eval(f{firstArgument} {mathOperand} {secondArgument})

# Sample usage to multiply two numbers
result = calculate(*, 4, 6)

# Injection to remove all files
calculate(, __import__(os).system(rm -rf *),))

Right

def calculate(mathOperand, firstArgument, secondArgument):
if mathOperand == +:
return firstArgument + secondArgument
elif mathOperand == :
return firstArgument secondArgument
elif mathOperand == *:
return firstArgument * secondArgument
elif mathOperand == /:
if secondArgument != 0:
return firstArgument / secondArgument
else:
return Error: Division by zero
else:
return Error: Invalid operation – Do not hack!

# This is a quick solution but another smell
# You should avoid this kind of switches and iterate to
# a Polymorphic Hierarchy

Detection

[X] Automatic

You can search for eval() in the code

Tags

Metaprogramming

Level

[x] Intermediate

AI Assistants

Most AI Assistants avoid using eval() in their solutions.

They also recognize it as a code smell and offer different options

Conclusion

Avoid this metaprogramming solution by hardcoding all the possible scenarios and avoiding over-generalizations.

Relations


Code Smell 207 – Dynamic Methods

Maxi Contieri ・ Apr 17 ’23

#webdev
#beginners
#programming
#ruby


Code Smell 189 – Not Sanitized Input

Maxi Contieri ・ Dec 28 ’22

#webdev
#beginners
#programming
#security


Code Smell 215 – Deserializing Object Vulnerability

Maxi Contieri ・ Jun 1 ’23

#webdev
#beginners
#programming
#security

More Info


Laziness I: Meta-programming

Maxi Contieri ・ Jan 30 ’21

#codenewbie
#metaprogramming
#oop
#programming

Disclaimer

Code Smells are my opinion.

Credits

Photo by Yang on Unsplash

When you actually sit down to write some code, you learn things that you didn’t get from thinking about them in modeling terms…there is a feedback process there that you can only really get at from executing some things and seeing what works.

Martin Fowler


Software Engineering Great Quotes

Maxi Contieri ・ Dec 28 ’20

#codenewbie
#programming
#quotes
#software

This article is part of the CodeSmell Series.


How to Find the Stinky parts of your Code

Maxi Contieri ・ May 21 ’21

#codenewbie
#tutorial
#codequality
#beginners

Leave a Reply

Your email address will not be published. Required fields are marked *

Stiri similare