Evaluating user-defined conditions

Abigail abigail at abigail.be
Mon Jun 9 12:39:09 BST 2014

On Mon, Jun 09, 2014 at 12:03:13PM +0100, Jason Clifford wrote:
> On 2014-06-09 11:36, Andrew Beverley wrote:
>> Dear all,
>> I'd like to take a condition specified by a user and use it to perform 
>> a
>> set of tests on a data set. Is there a module to do this?
>> For example, I might have an array of hashes containing "name",  
>> "price"
>> and "age". I would like a user to be able to define their own  
>> condition,
>> such as "age > 10 && price < (age + 5) * 10", and then to get the  
>> result
>> (true or false) for each of the array items.
>> Is there a nice easy way to do this without trying to parse the
>> condition myself? Presumably I could do some sort of eval, but that
>> sounds highly dangerous with user input ;-)
>> Andy
> Take a look at Safe.pm for a way to do a safe eval.
> We did something around this recently to provide something rather like  
> what you describe and it works very well.

Do note that Safe doesn't stop an attacker from consuming all memory,
or hogging the CPU.

But who is the "user"? If this is for a CLI program, using "eval" should
be fine in most cases. Sure, the eval could cause all kinds of havoc, 
but unless it has the suid bit turned on, it won't be able to more havoc
than the user could already do.

OTOH, if the user is Joe R. Hacker on the internet, Safe may not be safe
enough, and you're better off parsing the input yourself.

In short, Safe.pm may be the answer, but depending on who your users are,
it may be overkill, or still contain too many hooks for an attacker.


More information about the london.pm mailing list