Use safe_eval vs eval.

2026-05-07 22:02:50 +00:00 · 2013-04-10 16:17:24 -04:00
parent fecfbf9226
commit a83e10d77d
2 changed files with 30 additions and 2 deletions
--- a/lib/ansible/utils/init.py
+++ b/lib/ansible/utils/init.py
@@ -162,7 +162,7 @@ def check_conditional(conditional):

    try:
        conditional = conditional.replace("\n", "\\n")
-        result = eval(conditional)
+        result = safe_eval(conditional)
        if result not in [ True, False ]:
            raise errors.AnsibleError("Conditional expression must evaluate to True or False: %s" % conditional)
        return result
@@ -684,3 +684,29 @@ def is_list_of_strings(items):
           return False
   return True

+def safe_eval(str):
+   ''' 
+   this is intended for allowing things like:
+   with_items: {{ a_list_variable }}
+   where Jinja2 would return a string
+   but we do not want to allow it to call functions (outside of Jinja2, where
+   the env is constrained)
+   '''
+   # FIXME: is there a more native way to do this?
+
+   # do not allow method calls
+   if re.search(r'\w\.\w+\(', str):
+       print "C1"
+       return str
+   # do not allow imports
+   if re.search(r'import \w+', str):
+       print "C2"
+       return str
+   return eval(str)
+
+
+
+
+   
+
+