Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Odd behavior with units parsing #58

Open
andrewcollette opened this issue Jul 3, 2017 · 2 comments
Open

Odd behavior with units parsing #58

andrewcollette opened this issue Jul 3, 2017 · 2 comments

Comments

@andrewcollette
Copy link

Units are being run through "eval" at some point, resulting in this:

In [70]: UnitScalar(1, units='min')
Out[70]: UnitScalar(1, units='<built-in function min>')

In [71]: UnitScalar(1, units='__import__("os").system("ls -l /")')
total 45
drwxrwxr-x+ 73 root  admin  2482 Jun 26 17:24 Applications
drwxr-xr-x+ 64 root  wheel  2176 Aug 31  2016 Library
drwxr-xr-x@  2 root  wheel    68 Nov  9  2015 Network
drwxr-xr-x@  4 root  wheel   136 May 17 13:55 System
drwxr-xr-x   6 root  admin   204 Nov  9  2015 Users
drwxrwxrwt@  3 root  admin   102 Jul  3 13:04 Volumes
drwxr-xr-x@ 39 root  wheel  1326 May 17 13:55 bin
drwxrwxr-t@  2 root  admin    68 Nov  9  2015 cores
dr-xr-xr-x   3 root  wheel  4210 Jul  3 10:08 dev
lrwxr-xr-x@  1 root  wheel    11 Nov  9  2015 etc -> private/etc
dr-xr-xr-x   2 root  wheel     1 Jul  3 10:08 home
-rw-r--r--@  1 root  wheel   313 Aug 22  2015 installer.failurerequests
dr-xr-xr-x   2 root  wheel     1 Jul  3 10:08 net
drwxrwxr-x@  6 root  wheel   204 Sep 14  2016 opt
drwxr-xr-x@  6 root  wheel   204 Aug 31  2016 private
drwxr-xr-x@ 59 root  wheel  2006 May 17 13:55 sbin
lrwxr-xr-x@  1 root  wheel    11 Nov  9  2015 tmp -> private/tmp
drwxr-xr-x@ 13 root  wheel   442 Nov 12  2015 usr
lrwxr-xr-x@  1 root  wheel    11 Nov  9  2015 var -> private/var
Out[71]: UnitScalar(1, units='0')

Basically, right now unit labels should not be accepted from an untrusted source.
@jonathanrocher
Copy link
Contributor

jonathanrocher commented Jul 3, 2017
edited
Loading

Holy cow! We should at least add some serious warnings in the docs... Thanks for pointing it out.

@rahulporuri
Copy link
Contributor

The eval is happening here -

scimath/scimath/units/unit_parser.py

Line 61 in 755f89e

value = eval(string, self.context)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonathanrocher @rahulporuri @andrewcollette