Evaluating user-defined conditions
Tom Hukins
tom at eborcom.com
Tue Jun 10 10:04:59 BST 2014
On Tue, Jun 10, 2014 at 09:55:40AM +0200, Mark Overmeer wrote:
> * Andrew Beverley (andy at andybev.com) [140609 10:57]:
> > I'd like to take a condition specified by a user and use it to perform a
> > set of tests on a data set. Is there a module to do this?
>
> What about PPI: parse the string as Perl, then walk throught the
> result tree to check for unsupported nodes.
PPI provides a complicated way to parse as much of Perl as possible.
It has 68 bugs currently filed against it. I wouldn't be surprised if
a malicious user could generate simple code that would cause PPI to
consume lots of resources.
Given that Andy wants to process untrusted input, this seems like a
bad choice.
The earlier suggestions on this thread of using a specialised
mini-language or constructing one using a parser seem like better
solutions than generalised approaches like using PPI or Docker
containers.
Tom
More information about the london.pm
mailing list