Snakeoil AcademySpeak at PyCon AU 2021

Safely eval Python syntax using the AST module

Tim Savage

he/him

I am currently the development lead for Westpac Databank.

Got interested in Python around 2003-2004 by reading and absorbing the Python Cookbook, over the next 15 years Python has become my main language. Along the way, I have written Python applications for the likes of Fairfax Media, Woolworths, Westpac as well as several small startups. I contribute to many Python (and non-python) opensource projects including publishing several of my own modules, notably, Odin and PyApp.

Outside of programming, am a multi-instrumentalist, play drums in multiple bands in and around Sydney, have an interest in electronics. Have my hands kept full with twin daughters!

Safely eval Python syntax using the AST module

Allowing users of your application the ability to provide rules or queries using Python syntax allows, gives control back to end users or allows for new solutions to be implemented without a new release. However, directly executing arbitrary Python syntax is a major security risk.

This talk dives into how to do this safely, along with the pitfalls/risks that must be avoided to ensure your application security.

Main points:

  • Processing and parsing Python syntax using the ast module
  • Interpreting the generated syntax tree
  • Generating executable code that can be safely executed with eval
  • Why this is necessary or why eval/compile are not safe
Conference schedule listing