Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What specifically are the dangers of eval(parse(...))?

Tags:

parsing

r

eval

There are several questions on how to avoid using eval(parse(...))

  • r-evalparse-is-often-suboptimal
  • avoiding-the-infamous-evalparse-construct

Which sparks the questions:

  • Why Specifically should eval(parse()) be avoided?
  • And most importantly, What are the dangers?
    • Are there any dangerous if the code is not used in production? (I'm thinking, any danger of getting back unintended results. Clearly if you are not careful about what you are parsing, you will have issues. But is that any more dangerous than being sloppy with get()?)
like image 334
Ricardo Saporta Avatar asked Nov 30 '12 17:11

Ricardo Saporta


People also ask

Why eval function is dangerous?

eval() is a dangerous function, which executes the code it's passed with the privileges of the caller. If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage / extension.

Why is eval dangerous Python?

Since the eval() function will evaluate any Python expressions, the hacker can easily get a list of files and folders on the server. To be honest, you probably will be fired if the above string is really evaluated by the eval() function.

Why is eval not safe?

Reasons to Avoid Using eval() Here's some of the reasons to avoid using it: Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username.

How do you use eval?

The Eval function evaluates the string expression and returns its value. For example, Eval("1 + 1") returns 2. If you pass to the Eval function a string that contains the name of a function, the Eval function returns the return value of the function. For example, Eval("Chr$(65)") returns "A".


1 Answers

Most of the arguments against eval(parse(...)) arise not because of security concerns, after all, no claims are made about R being a safe interface to expose to the Internet, but rather because such code is generally doing things that can be accomplished using less obscure methods, i.e. methods that are both quicker and more human parse-able. The R language is supposed to be high-level, so the preference of the cognoscenti (and I do not consider myself in that group) is to see code that is both compact and expressive.

So the danger is that eval(parse(..)) is a backdoor method of getting around lack of knowledge and the hope in raising that barrier is that people will improve their use of the R language. The door remains open but the hope is for more expressive use of other features. Carl Witthoft's question earlier today illustrated not knowing that the get function was available, and the question he linked to exposed a lack of understanding of how the [[ function behaved (and how $ was more limited than [[). In both cases an eval(parse(..)) solution could be constructed, but it was clunkier and less clear than the alternative.

like image 107
IRTFM Avatar answered Sep 20 '22 05:09

IRTFM