Merge pull request python-quantities#236 from zm711/fix-eval-issue

apdavison · web-flow · commit 329433cac377 · 2024-08-27T10:25:04.000+02:00
Prevent arbitrary code eval
diff --git a/quantities/registry.py b/quantities/registry.py
@@ -1,8 +1,8 @@
 """
 """
 
-import copy
 import re
+import builtins
 
 
 class UnitRegistry:
@@ -16,6 +16,17 @@ def __init__(self):
             self.__context = {}
 
         def __getitem__(self, string):
+            
+            # easy hack to prevent arbitrary evaluation of code
+            all_builtins = dir(builtins)
+            # because we have kilobytes, other bytes we have to remove bytes
+            all_builtins.remove("bytes")
+            # have to deal with octet as well
+            all_builtins.remove("oct")
+            for builtin in all_builtins:
+                if builtin in string:
+                    raise RuntimeError(f"String parsing error for {string}. Enter a string accepted by quantities")
+
             try:
                 return eval(string, self.__context)
             except NameError:
