Allowing users of your application the ability to provide rules or queries using Python syntax allows, gives control back to end users or allows for new solutions to be implemented without a new release. However, directly executing arbitrary Python syntax is a major security risk.
This talk dives into how to do this safely, along with the pitfalls/risks that must be avoided to ensure your application security.
Main points:
- Processing and parsing Python syntax using the ast module
- Interpreting the generated syntax tree
- Generating executable code that can be safely executed with eval
- Why this is necessary or why eval/compile are not safe