././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1634962310.9571996 simpleeval-0.9.11/0000755000076500000240000000000000000000000014323 5ustar00danielstaff00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1618303224.0 simpleeval-0.9.11/.coveragerc0000644000076500000240000000006500000000000016445 0ustar00danielstaff00000000000000[run] branch = True omit = /home/travis/virtualenv/* ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1618393449.0 simpleeval-0.9.11/.gitignore0000644000076500000240000000006300000000000016312 0ustar00danielstaff00000000000000*.pyc build dist MANIFEST .idea venv testfile.txt ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634905025.0 simpleeval-0.9.11/.travis.yml0000644000076500000240000000065100000000000016436 0ustar00danielstaff00000000000000language: python dist: xenial arch: - amd64 - ppc64le python: - "2.7" - "3.4" - "3.5" - "3.6" - "3.7" - "3.8" - "3.9" - "pypy3.5" matrix: exclude: - python: "2.7" arch: ppc64le - python: "pypy3.5" arch: ppc64le install: - pip install nose - pip install coveralls - pip install coverage script: - nosetests - coverage run -m nose after_success: - coveralls ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1618303224.0 simpleeval-0.9.11/LICENCE0000644000076500000240000000210400000000000015305 0ustar00danielstaff00000000000000simpleeval - Copyright (c) 2013-2017 Daniel Fairhead (MIT Licence) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1618303224.0 simpleeval-0.9.11/MANIFEST.in0000644000076500000240000000007600000000000016064 0ustar00danielstaff00000000000000include README.rst include LICENCE include test_simpleeval.py ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634962018.0 simpleeval-0.9.11/Makefile0000644000076500000240000000044000000000000015761 0ustar00danielstaff00000000000000test: python test_simpleeval.py autotest: find . -name \*.py -not -path .\/.v\* | entr make test .PHONY: test dist/: setup.cfg simpleeval.py README.rst python -m build twine check dist/* pypi: test dist/ twine check dist/* twine upload dist/* clean: rm -rf build rm -rf dist ././@PaxHeader0000000000000000000000000000003300000000000011451 xustar000000000000000027 mtime=1634962310.957339 simpleeval-0.9.11/PKG-INFO0000644000076500000240000003360100000000000015423 0ustar00danielstaff00000000000000Metadata-Version: 2.1 Name: simpleeval Version: 0.9.11 Summary: A simple, safe single expression evaluator library. Home-page: https://github.com/danthedeckie/simpleeval Author: Daniel Fairhead Author-email: danthedeckie@gmail.com License: UNKNOWN Keywords: eval,simple,expression,parse,ast Platform: UNKNOWN Classifier: Development Status :: 4 - Beta Classifier: Intended Audience :: Developers Classifier: License :: OSI Approved :: MIT License Classifier: Topic :: Software Development :: Libraries :: Python Modules Classifier: Programming Language :: Python Description-Content-Type: text/x-rst License-File: LICENCE simpleeval (Simple Eval) ======================== .. image:: https://travis-ci.org/danthedeckie/simpleeval.svg?branch=master :target: https://travis-ci.org/danthedeckie/simpleeval :alt: Build Status .. image:: https://coveralls.io/repos/github/danthedeckie/simpleeval/badge.svg?branch=master :target: https://coveralls.io/r/danthedeckie/simpleeval?branch=master :alt: Coverage Status .. image:: https://badge.fury.io/py/simpleeval.svg :target: https://badge.fury.io/py/simpleeval :alt: PyPI Version A quick single file library for easily adding evaluatable expressions into python projects. Say you want to allow a user to set an alarm volume, which could depend on the time of day, alarm level, how many previous alarms had gone off, and if there is music playing at the time. Or if you want to allow simple formulae in a web application, but don't want to give full eval() access, or don't want to run in javascript on the client side. It's deliberately very simple, pull it in from PyPI (pip or easy_install), or even just a single file you can dump into a project. Internally, it's using the amazing python ``ast`` module to parse the expression, which allows very fine control of what is and isn't allowed. It should be completely safe in terms of what operations can be performed by the expression. The only issue I know to be aware of is that you can create an expression which takes a long time to evaluate, or which evaluating requires an awful lot of memory, which leaves the potential for DOS attacks. There is basic protection against this, and you can lock it down further if you desire. (see the Operators_ section below) You should be aware of this when deploying in a public setting. The defaults are pretty locked down and basic, and it's very easy to add whatever extra specific functionality you need (your own functions, variable/name lookup, etc). Basic Usage ----------- To get very simple evaluating: .. code-block:: python from simpleeval import simple_eval simple_eval("21 + 21") returns ``42``. Expressions can be as complex and convoluted as you want: .. code-block:: python simple_eval("21 + 19 / 7 + (8 % 3) ** 9") returns ``535.714285714``. You can add your own functions in as well. .. code-block:: python simple_eval("square(11)", functions={"square": lambda x: x*x}) returns ``121``. For more details of working with functions, read further down. Note: ~~~~~ all further examples use ``>>>`` to designate python code, as if you are using the python interactive prompt. .. _Operators: Operators --------- You can add operators yourself, using the ``operators`` argument, but these are the defaults: +--------+------------------------------------+ | ``+`` | add two things. ``x + y`` | | | ``1 + 1`` -> ``2`` | +--------+------------------------------------+ | ``-`` | subtract two things ``x - y`` | | | ``100 - 1`` -> ``99`` | +--------+------------------------------------+ | ``/`` | divide one thing by another | | | ``x / y`` | | | ``100/10`` -> ``10`` | +--------+------------------------------------+ | ``*`` | multiple one thing by another | | | ``x * y`` | | | ``10 * 10`` -> ``100`` | +--------+------------------------------------+ | ``**`` | 'to the power of' ``x**y`` | | | ``2 ** 10`` -> ``1024`` | +--------+------------------------------------+ | ``%`` | modulus. (remainder) ``x % y`` | | | ``15 % 4`` -> ``3`` | +--------+------------------------------------+ | ``==`` | equals ``x == y`` | | | ``15 == 4`` -> ``False`` | +--------+------------------------------------+ | ``<`` | Less than. ``x < y`` | | | ``1 < 4`` -> ``True`` | +--------+------------------------------------+ | ``>`` | Greater than. ``x > y`` | | | ``1 > 4`` -> ``False`` | +--------+------------------------------------+ | ``<=`` | Less than or Equal to. ``x <= y`` | | | ``1 < 4`` -> ``True`` | +--------+------------------------------------+ | ``>=`` | Greater or Equal to ``x >= 21`` | | | ``1 >= 4`` -> ``False`` | +--------+------------------------------------+ | ``in`` | is something contained within | | | something else. | | | ``"spam" in "my breakfast"`` | | | -> ``False`` | +--------+------------------------------------+ The ``^`` operator is notably missing - not because it's hard, but because it is often mistaken for a exponent operator, not the bitwise operation that it is in python. It's trivial to add back in again if you wish (using the class based evaluator explained below): .. code-block:: python >>> import ast >>> import operator >>> s = SimpleEval() >>> s.operators[ast.BitXor] = operator.xor >>> s.eval("2 ^ 10") 8 Limited Power ~~~~~~~~~~~~~ Also note, the ``**`` operator has been locked down by default to have a maximum input value of ``4000000``, which makes it somewhat harder to make expressions which go on for ever. You can change this limit by changing the ``simpleeval.POWER_MAX`` module level value to whatever is an appropriate value for you (and the hardware that you're running on) or if you want to completely remove all limitations, you can set the ``s.operators[ast.Pow] = operator.pow`` or make your own function. On my computer, ``9**9**5`` evaluates almost instantly, but ``9**9**6`` takes over 30 seconds. Since ``9**7`` is ``4782969``, and so over the ``POWER_MAX`` limit, it throws a ``NumberTooHigh`` exception for you. (Otherwise it would go on for hours, or until the computer runs out of memory) Strings (and other Iterables) Safety ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are also limits on string length (100000 characters, ``MAX_STRING_LENGTH``). This can be changed if you wish. Related to this, if you try to create a silly long string/bytes/list, by doing ``'i want to break free'.split() * 9999999999`` for instance, it will block you. If Expressions -------------- You can use python style ``if x then y else z`` type expressions: .. code-block:: python >>> simple_eval("'equal' if x == y else 'not equal'", names={"x": 1, "y": 2}) 'not equal' which, of course, can be nested: .. code-block:: python >>> simple_eval("'a' if 1 == 2 else 'b' if 2 == 3 else 'c'") 'c' Functions --------- You can define functions which you'd like the expresssions to have access to: .. code-block:: python >>> simple_eval("double(21)", functions={"double": lambda x:x*2}) 42 You can define "real" functions to pass in rather than lambdas, of course too, and even re-name them so that expressions can be shorter .. code-block:: python >>> def double(x): return x * 2 >>> simple_eval("d(100) + double(1)", functions={"d": double, "double":double}) 202 If you don't provide your own ``functions`` dict, then the the following defaults are provided in the ``DEFAULT_FUNCTIONS`` dict: +----------------+--------------------------------------------------+ | ``randint(x)`` | Return a random ``int`` below ``x`` | +----------------+--------------------------------------------------+ | ``rand()`` | Return a random ``float`` between 0 and 1 | +----------------+--------------------------------------------------+ | ``int(x)`` | Convert ``x`` to an ``int``. | +----------------+--------------------------------------------------+ | ``float(x)`` | Convert ``x`` to a ``float``. | +----------------+--------------------------------------------------+ | ``str(x)`` | Convert ``x`` to a ``str`` (``unicode`` in py2) | +----------------+--------------------------------------------------+ If you want to provide a list of functions, but want to keep these as well, then you can do a normal python ``.copy()`` & ``.update``: .. code-block:: python >>> my_functions = simpleeval.DEFAULT_FUNCTIONS.copy() >>> my_functions.update( square=(lambda x:x*x), double=(lambda x:x+x), ) >>> simple_eval('square(randint(100))', functions=my_functions) Names ----- Sometimes it's useful to have variables available, which in python terminology are called 'names'. .. code-block:: python >>> simple_eval("a + b", names={"a": 11, "b": 100}) 111 You can also hand the handling of names over to a function, if you prefer: .. code-block:: python >>> def name_handler(node): return ord(node.id[0].lower(a))-96 >>> simple_eval('a + b', names=name_handler) 3 That was a bit of a silly example, but you could use this for pulling values from a database or file, say, or doing some kind of caching system. The two default names that are provided are ``True`` and ``False``. So if you want to provide your own names, but want ``True`` and ``False`` to keep working, either provide them yourself, or ``.copy()`` and ``.update`` the ``DEFAULT_NAMES``. (See functions example above). Creating an Evaluator Class --------------------------- Rather than creating a new evaluator each time, if you are doing a lot of evaluations, you can create a SimpleEval object, and pass it expressions each time (which should be a bit quicker, and certainly more convenient for some use cases): .. code-block:: python >>> s = SimpleEval() >>> s.eval("1 + 1") 2 >>> s.eval('100 * 10') 1000 # and so on... You can assign / edit the various options of the ``SimpleEval`` object if you want to. Either assign them during creation (like the ``simple_eval`` function) .. code-block:: python def boo(): return 'Boo!' s = SimpleEval(functions={"boo": boo}) or edit them after creation: .. code-block:: python s.names['fortytwo'] = 42 this actually means you can modify names (or functions) with functions, if you really feel so inclined: .. code-block:: python s = SimpleEval() def set_val(name, value): s.names[name.value] = value.value return value.value s.functions = {'set': set_val} s.eval("set('age', 111)") Say. This would allow a certain level of 'scriptyness' if you had these evaluations happening as callbacks in a program. Although you really are reaching the end of what this library is intended for at this stage. Compound Types -------------- Compound types (``dict``, ``tuple``, ``list``, ``set``) in general just work if you pass them in as named objects. If you want to allow creation of these, the ``EvalWithCompoundTypes`` class works. Just replace any use of ``SimpleEval`` with that. The ``EvalWithCompoundTypes`` class also contains support for simple comprehensions. eg: ``[x + 1 for x in [1,2,3]]``. There's a safety `MAX_COMPREHENSION_LENGTH` to control how many items it'll allow before bailing too. This also takes into account nested comprehensions. Since the primary intention of this library is short expressions - an extra 'sweetener' is enabled by default. You can access a dict (or similar's) keys using the .attr syntax: .. code-block:: python >>> simple_eval("foo.bar", names={"foo": {"bar": 42}}) 42 for instance. You can turn this off either by setting the module global `ATTR_INDEX_FALLBACK` to `False`, or on the ``SimpleEval`` instance itself. e.g. ``evaller.ATTR_INDEX_FALLBACK=False``. Extending --------- The ``SimpleEval`` class is pretty easy to extend. For instance, to create a version that disallows method invocation on objects: .. code-block:: python import ast import simpleeval class EvalNoMethods(simpleeval.SimpleEval): def _eval_call(self, node): if isinstance(node.func, ast.Attribute): raise simpleeval.FeatureNotAvailable("No methods please, we're British") return super(EvalNoMethods, self)._eval_call(node) and then use ``EvalNoMethods`` instead of the ``SimpleEval`` class. Other... -------- The library supports python 3 - but should be mostly compatible (and tested before 0.9.11) with python 2.7 as well. Object attributes that start with ``_`` or ``func_`` are disallowed by default. If you really need that (BE CAREFUL!), then modify the module global ``simpleeval.DISALLOW_PREFIXES``. A few builtin functions are listed in ``simpleeval.DISALLOW_FUNCTIONS``. ``type``, ``open``, etc. If you need to give access to this kind of functionality to your expressions, then be very careful. You'd be better wrapping the functions in your own safe wrappers. The initial idea came from J.F. Sebastian on Stack Overflow ( http://stackoverflow.com/a/9558001/1973500 ) with modifications and many improvements, see the head of the main file for contributors list. Please read the ``test_simpleeval.py`` file for other potential gotchas or details. I'm very happy to accept pull requests, suggestions, or other issues. Enjoy! Developing ---------- Run tests:: $ make test Or to set the tests running on every file change: $ make autotest (requires ``entr``) BEWARE ------ I've done the best I can with this library - but there's no warrenty, no guarentee, nada. A lot of very clever people think the whole idea of trying to sandbox CPython is impossible. Read the code yourself, and use it at your own risk. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634905867.0 simpleeval-0.9.11/README.rst0000644000076500000240000003242000000000000016013 0ustar00danielstaff00000000000000simpleeval (Simple Eval) ======================== .. image:: https://travis-ci.org/danthedeckie/simpleeval.svg?branch=master :target: https://travis-ci.org/danthedeckie/simpleeval :alt: Build Status .. image:: https://coveralls.io/repos/github/danthedeckie/simpleeval/badge.svg?branch=master :target: https://coveralls.io/r/danthedeckie/simpleeval?branch=master :alt: Coverage Status .. image:: https://badge.fury.io/py/simpleeval.svg :target: https://badge.fury.io/py/simpleeval :alt: PyPI Version A quick single file library for easily adding evaluatable expressions into python projects. Say you want to allow a user to set an alarm volume, which could depend on the time of day, alarm level, how many previous alarms had gone off, and if there is music playing at the time. Or if you want to allow simple formulae in a web application, but don't want to give full eval() access, or don't want to run in javascript on the client side. It's deliberately very simple, pull it in from PyPI (pip or easy_install), or even just a single file you can dump into a project. Internally, it's using the amazing python ``ast`` module to parse the expression, which allows very fine control of what is and isn't allowed. It should be completely safe in terms of what operations can be performed by the expression. The only issue I know to be aware of is that you can create an expression which takes a long time to evaluate, or which evaluating requires an awful lot of memory, which leaves the potential for DOS attacks. There is basic protection against this, and you can lock it down further if you desire. (see the Operators_ section below) You should be aware of this when deploying in a public setting. The defaults are pretty locked down and basic, and it's very easy to add whatever extra specific functionality you need (your own functions, variable/name lookup, etc). Basic Usage ----------- To get very simple evaluating: .. code-block:: python from simpleeval import simple_eval simple_eval("21 + 21") returns ``42``. Expressions can be as complex and convoluted as you want: .. code-block:: python simple_eval("21 + 19 / 7 + (8 % 3) ** 9") returns ``535.714285714``. You can add your own functions in as well. .. code-block:: python simple_eval("square(11)", functions={"square": lambda x: x*x}) returns ``121``. For more details of working with functions, read further down. Note: ~~~~~ all further examples use ``>>>`` to designate python code, as if you are using the python interactive prompt. .. _Operators: Operators --------- You can add operators yourself, using the ``operators`` argument, but these are the defaults: +--------+------------------------------------+ | ``+`` | add two things. ``x + y`` | | | ``1 + 1`` -> ``2`` | +--------+------------------------------------+ | ``-`` | subtract two things ``x - y`` | | | ``100 - 1`` -> ``99`` | +--------+------------------------------------+ | ``/`` | divide one thing by another | | | ``x / y`` | | | ``100/10`` -> ``10`` | +--------+------------------------------------+ | ``*`` | multiple one thing by another | | | ``x * y`` | | | ``10 * 10`` -> ``100`` | +--------+------------------------------------+ | ``**`` | 'to the power of' ``x**y`` | | | ``2 ** 10`` -> ``1024`` | +--------+------------------------------------+ | ``%`` | modulus. (remainder) ``x % y`` | | | ``15 % 4`` -> ``3`` | +--------+------------------------------------+ | ``==`` | equals ``x == y`` | | | ``15 == 4`` -> ``False`` | +--------+------------------------------------+ | ``<`` | Less than. ``x < y`` | | | ``1 < 4`` -> ``True`` | +--------+------------------------------------+ | ``>`` | Greater than. ``x > y`` | | | ``1 > 4`` -> ``False`` | +--------+------------------------------------+ | ``<=`` | Less than or Equal to. ``x <= y`` | | | ``1 < 4`` -> ``True`` | +--------+------------------------------------+ | ``>=`` | Greater or Equal to ``x >= 21`` | | | ``1 >= 4`` -> ``False`` | +--------+------------------------------------+ | ``in`` | is something contained within | | | something else. | | | ``"spam" in "my breakfast"`` | | | -> ``False`` | +--------+------------------------------------+ The ``^`` operator is notably missing - not because it's hard, but because it is often mistaken for a exponent operator, not the bitwise operation that it is in python. It's trivial to add back in again if you wish (using the class based evaluator explained below): .. code-block:: python >>> import ast >>> import operator >>> s = SimpleEval() >>> s.operators[ast.BitXor] = operator.xor >>> s.eval("2 ^ 10") 8 Limited Power ~~~~~~~~~~~~~ Also note, the ``**`` operator has been locked down by default to have a maximum input value of ``4000000``, which makes it somewhat harder to make expressions which go on for ever. You can change this limit by changing the ``simpleeval.POWER_MAX`` module level value to whatever is an appropriate value for you (and the hardware that you're running on) or if you want to completely remove all limitations, you can set the ``s.operators[ast.Pow] = operator.pow`` or make your own function. On my computer, ``9**9**5`` evaluates almost instantly, but ``9**9**6`` takes over 30 seconds. Since ``9**7`` is ``4782969``, and so over the ``POWER_MAX`` limit, it throws a ``NumberTooHigh`` exception for you. (Otherwise it would go on for hours, or until the computer runs out of memory) Strings (and other Iterables) Safety ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are also limits on string length (100000 characters, ``MAX_STRING_LENGTH``). This can be changed if you wish. Related to this, if you try to create a silly long string/bytes/list, by doing ``'i want to break free'.split() * 9999999999`` for instance, it will block you. If Expressions -------------- You can use python style ``if x then y else z`` type expressions: .. code-block:: python >>> simple_eval("'equal' if x == y else 'not equal'", names={"x": 1, "y": 2}) 'not equal' which, of course, can be nested: .. code-block:: python >>> simple_eval("'a' if 1 == 2 else 'b' if 2 == 3 else 'c'") 'c' Functions --------- You can define functions which you'd like the expresssions to have access to: .. code-block:: python >>> simple_eval("double(21)", functions={"double": lambda x:x*2}) 42 You can define "real" functions to pass in rather than lambdas, of course too, and even re-name them so that expressions can be shorter .. code-block:: python >>> def double(x): return x * 2 >>> simple_eval("d(100) + double(1)", functions={"d": double, "double":double}) 202 If you don't provide your own ``functions`` dict, then the the following defaults are provided in the ``DEFAULT_FUNCTIONS`` dict: +----------------+--------------------------------------------------+ | ``randint(x)`` | Return a random ``int`` below ``x`` | +----------------+--------------------------------------------------+ | ``rand()`` | Return a random ``float`` between 0 and 1 | +----------------+--------------------------------------------------+ | ``int(x)`` | Convert ``x`` to an ``int``. | +----------------+--------------------------------------------------+ | ``float(x)`` | Convert ``x`` to a ``float``. | +----------------+--------------------------------------------------+ | ``str(x)`` | Convert ``x`` to a ``str`` (``unicode`` in py2) | +----------------+--------------------------------------------------+ If you want to provide a list of functions, but want to keep these as well, then you can do a normal python ``.copy()`` & ``.update``: .. code-block:: python >>> my_functions = simpleeval.DEFAULT_FUNCTIONS.copy() >>> my_functions.update( square=(lambda x:x*x), double=(lambda x:x+x), ) >>> simple_eval('square(randint(100))', functions=my_functions) Names ----- Sometimes it's useful to have variables available, which in python terminology are called 'names'. .. code-block:: python >>> simple_eval("a + b", names={"a": 11, "b": 100}) 111 You can also hand the handling of names over to a function, if you prefer: .. code-block:: python >>> def name_handler(node): return ord(node.id[0].lower(a))-96 >>> simple_eval('a + b', names=name_handler) 3 That was a bit of a silly example, but you could use this for pulling values from a database or file, say, or doing some kind of caching system. The two default names that are provided are ``True`` and ``False``. So if you want to provide your own names, but want ``True`` and ``False`` to keep working, either provide them yourself, or ``.copy()`` and ``.update`` the ``DEFAULT_NAMES``. (See functions example above). Creating an Evaluator Class --------------------------- Rather than creating a new evaluator each time, if you are doing a lot of evaluations, you can create a SimpleEval object, and pass it expressions each time (which should be a bit quicker, and certainly more convenient for some use cases): .. code-block:: python >>> s = SimpleEval() >>> s.eval("1 + 1") 2 >>> s.eval('100 * 10') 1000 # and so on... You can assign / edit the various options of the ``SimpleEval`` object if you want to. Either assign them during creation (like the ``simple_eval`` function) .. code-block:: python def boo(): return 'Boo!' s = SimpleEval(functions={"boo": boo}) or edit them after creation: .. code-block:: python s.names['fortytwo'] = 42 this actually means you can modify names (or functions) with functions, if you really feel so inclined: .. code-block:: python s = SimpleEval() def set_val(name, value): s.names[name.value] = value.value return value.value s.functions = {'set': set_val} s.eval("set('age', 111)") Say. This would allow a certain level of 'scriptyness' if you had these evaluations happening as callbacks in a program. Although you really are reaching the end of what this library is intended for at this stage. Compound Types -------------- Compound types (``dict``, ``tuple``, ``list``, ``set``) in general just work if you pass them in as named objects. If you want to allow creation of these, the ``EvalWithCompoundTypes`` class works. Just replace any use of ``SimpleEval`` with that. The ``EvalWithCompoundTypes`` class also contains support for simple comprehensions. eg: ``[x + 1 for x in [1,2,3]]``. There's a safety `MAX_COMPREHENSION_LENGTH` to control how many items it'll allow before bailing too. This also takes into account nested comprehensions. Since the primary intention of this library is short expressions - an extra 'sweetener' is enabled by default. You can access a dict (or similar's) keys using the .attr syntax: .. code-block:: python >>> simple_eval("foo.bar", names={"foo": {"bar": 42}}) 42 for instance. You can turn this off either by setting the module global `ATTR_INDEX_FALLBACK` to `False`, or on the ``SimpleEval`` instance itself. e.g. ``evaller.ATTR_INDEX_FALLBACK=False``. Extending --------- The ``SimpleEval`` class is pretty easy to extend. For instance, to create a version that disallows method invocation on objects: .. code-block:: python import ast import simpleeval class EvalNoMethods(simpleeval.SimpleEval): def _eval_call(self, node): if isinstance(node.func, ast.Attribute): raise simpleeval.FeatureNotAvailable("No methods please, we're British") return super(EvalNoMethods, self)._eval_call(node) and then use ``EvalNoMethods`` instead of the ``SimpleEval`` class. Other... -------- The library supports python 3 - but should be mostly compatible (and tested before 0.9.11) with python 2.7 as well. Object attributes that start with ``_`` or ``func_`` are disallowed by default. If you really need that (BE CAREFUL!), then modify the module global ``simpleeval.DISALLOW_PREFIXES``. A few builtin functions are listed in ``simpleeval.DISALLOW_FUNCTIONS``. ``type``, ``open``, etc. If you need to give access to this kind of functionality to your expressions, then be very careful. You'd be better wrapping the functions in your own safe wrappers. The initial idea came from J.F. Sebastian on Stack Overflow ( http://stackoverflow.com/a/9558001/1973500 ) with modifications and many improvements, see the head of the main file for contributors list. Please read the ``test_simpleeval.py`` file for other potential gotchas or details. I'm very happy to accept pull requests, suggestions, or other issues. Enjoy! Developing ---------- Run tests:: $ make test Or to set the tests running on every file change: $ make autotest (requires ``entr``) BEWARE ------ I've done the best I can with this library - but there's no warrenty, no guarentee, nada. A lot of very clever people think the whole idea of trying to sandbox CPython is impossible. Read the code yourself, and use it at your own risk. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634962224.0 simpleeval-0.9.11/pyproject.toml0000644000076500000240000000015300000000000017236 0ustar00danielstaff00000000000000[build-system] requires = ["setuptools>=30.3.0", "wheel", "build"] build-backend = "setuptools.build_meta" ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1634962310.9580033 simpleeval-0.9.11/setup.cfg0000644000076500000240000000123400000000000016144 0ustar00danielstaff00000000000000[metadata] name = simpleeval version = 0.9.11 author = Daniel Fairhead author_email = danthedeckie@gmail.com description = A simple, safe single expression evaluator library. keywords = eval, simple, expression, parse, ast url = https://github.com/danthedeckie/simpleeval long_description = file: README.rst long_description_content_type = text/x-rst classifiers = Development Status :: 4 - Beta Intended Audience :: Developers License :: OSI Approved :: MIT License Topic :: Software Development :: Libraries :: Python Modules Programming Language :: Python [options] py_modules = simpleeval [bdist_wheel] universal = 1 [egg_info] tag_build = tag_date = 0 ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1634962310.9570022 simpleeval-0.9.11/simpleeval.egg-info/0000755000076500000240000000000000000000000020156 5ustar00danielstaff00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634962310.0 simpleeval-0.9.11/simpleeval.egg-info/PKG-INFO0000644000076500000240000003360100000000000021256 0ustar00danielstaff00000000000000Metadata-Version: 2.1 Name: simpleeval Version: 0.9.11 Summary: A simple, safe single expression evaluator library. Home-page: https://github.com/danthedeckie/simpleeval Author: Daniel Fairhead Author-email: danthedeckie@gmail.com License: UNKNOWN Keywords: eval,simple,expression,parse,ast Platform: UNKNOWN Classifier: Development Status :: 4 - Beta Classifier: Intended Audience :: Developers Classifier: License :: OSI Approved :: MIT License Classifier: Topic :: Software Development :: Libraries :: Python Modules Classifier: Programming Language :: Python Description-Content-Type: text/x-rst License-File: LICENCE simpleeval (Simple Eval) ======================== .. image:: https://travis-ci.org/danthedeckie/simpleeval.svg?branch=master :target: https://travis-ci.org/danthedeckie/simpleeval :alt: Build Status .. image:: https://coveralls.io/repos/github/danthedeckie/simpleeval/badge.svg?branch=master :target: https://coveralls.io/r/danthedeckie/simpleeval?branch=master :alt: Coverage Status .. image:: https://badge.fury.io/py/simpleeval.svg :target: https://badge.fury.io/py/simpleeval :alt: PyPI Version A quick single file library for easily adding evaluatable expressions into python projects. Say you want to allow a user to set an alarm volume, which could depend on the time of day, alarm level, how many previous alarms had gone off, and if there is music playing at the time. Or if you want to allow simple formulae in a web application, but don't want to give full eval() access, or don't want to run in javascript on the client side. It's deliberately very simple, pull it in from PyPI (pip or easy_install), or even just a single file you can dump into a project. Internally, it's using the amazing python ``ast`` module to parse the expression, which allows very fine control of what is and isn't allowed. It should be completely safe in terms of what operations can be performed by the expression. The only issue I know to be aware of is that you can create an expression which takes a long time to evaluate, or which evaluating requires an awful lot of memory, which leaves the potential for DOS attacks. There is basic protection against this, and you can lock it down further if you desire. (see the Operators_ section below) You should be aware of this when deploying in a public setting. The defaults are pretty locked down and basic, and it's very easy to add whatever extra specific functionality you need (your own functions, variable/name lookup, etc). Basic Usage ----------- To get very simple evaluating: .. code-block:: python from simpleeval import simple_eval simple_eval("21 + 21") returns ``42``. Expressions can be as complex and convoluted as you want: .. code-block:: python simple_eval("21 + 19 / 7 + (8 % 3) ** 9") returns ``535.714285714``. You can add your own functions in as well. .. code-block:: python simple_eval("square(11)", functions={"square": lambda x: x*x}) returns ``121``. For more details of working with functions, read further down. Note: ~~~~~ all further examples use ``>>>`` to designate python code, as if you are using the python interactive prompt. .. _Operators: Operators --------- You can add operators yourself, using the ``operators`` argument, but these are the defaults: +--------+------------------------------------+ | ``+`` | add two things. ``x + y`` | | | ``1 + 1`` -> ``2`` | +--------+------------------------------------+ | ``-`` | subtract two things ``x - y`` | | | ``100 - 1`` -> ``99`` | +--------+------------------------------------+ | ``/`` | divide one thing by another | | | ``x / y`` | | | ``100/10`` -> ``10`` | +--------+------------------------------------+ | ``*`` | multiple one thing by another | | | ``x * y`` | | | ``10 * 10`` -> ``100`` | +--------+------------------------------------+ | ``**`` | 'to the power of' ``x**y`` | | | ``2 ** 10`` -> ``1024`` | +--------+------------------------------------+ | ``%`` | modulus. (remainder) ``x % y`` | | | ``15 % 4`` -> ``3`` | +--------+------------------------------------+ | ``==`` | equals ``x == y`` | | | ``15 == 4`` -> ``False`` | +--------+------------------------------------+ | ``<`` | Less than. ``x < y`` | | | ``1 < 4`` -> ``True`` | +--------+------------------------------------+ | ``>`` | Greater than. ``x > y`` | | | ``1 > 4`` -> ``False`` | +--------+------------------------------------+ | ``<=`` | Less than or Equal to. ``x <= y`` | | | ``1 < 4`` -> ``True`` | +--------+------------------------------------+ | ``>=`` | Greater or Equal to ``x >= 21`` | | | ``1 >= 4`` -> ``False`` | +--------+------------------------------------+ | ``in`` | is something contained within | | | something else. | | | ``"spam" in "my breakfast"`` | | | -> ``False`` | +--------+------------------------------------+ The ``^`` operator is notably missing - not because it's hard, but because it is often mistaken for a exponent operator, not the bitwise operation that it is in python. It's trivial to add back in again if you wish (using the class based evaluator explained below): .. code-block:: python >>> import ast >>> import operator >>> s = SimpleEval() >>> s.operators[ast.BitXor] = operator.xor >>> s.eval("2 ^ 10") 8 Limited Power ~~~~~~~~~~~~~ Also note, the ``**`` operator has been locked down by default to have a maximum input value of ``4000000``, which makes it somewhat harder to make expressions which go on for ever. You can change this limit by changing the ``simpleeval.POWER_MAX`` module level value to whatever is an appropriate value for you (and the hardware that you're running on) or if you want to completely remove all limitations, you can set the ``s.operators[ast.Pow] = operator.pow`` or make your own function. On my computer, ``9**9**5`` evaluates almost instantly, but ``9**9**6`` takes over 30 seconds. Since ``9**7`` is ``4782969``, and so over the ``POWER_MAX`` limit, it throws a ``NumberTooHigh`` exception for you. (Otherwise it would go on for hours, or until the computer runs out of memory) Strings (and other Iterables) Safety ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are also limits on string length (100000 characters, ``MAX_STRING_LENGTH``). This can be changed if you wish. Related to this, if you try to create a silly long string/bytes/list, by doing ``'i want to break free'.split() * 9999999999`` for instance, it will block you. If Expressions -------------- You can use python style ``if x then y else z`` type expressions: .. code-block:: python >>> simple_eval("'equal' if x == y else 'not equal'", names={"x": 1, "y": 2}) 'not equal' which, of course, can be nested: .. code-block:: python >>> simple_eval("'a' if 1 == 2 else 'b' if 2 == 3 else 'c'") 'c' Functions --------- You can define functions which you'd like the expresssions to have access to: .. code-block:: python >>> simple_eval("double(21)", functions={"double": lambda x:x*2}) 42 You can define "real" functions to pass in rather than lambdas, of course too, and even re-name them so that expressions can be shorter .. code-block:: python >>> def double(x): return x * 2 >>> simple_eval("d(100) + double(1)", functions={"d": double, "double":double}) 202 If you don't provide your own ``functions`` dict, then the the following defaults are provided in the ``DEFAULT_FUNCTIONS`` dict: +----------------+--------------------------------------------------+ | ``randint(x)`` | Return a random ``int`` below ``x`` | +----------------+--------------------------------------------------+ | ``rand()`` | Return a random ``float`` between 0 and 1 | +----------------+--------------------------------------------------+ | ``int(x)`` | Convert ``x`` to an ``int``. | +----------------+--------------------------------------------------+ | ``float(x)`` | Convert ``x`` to a ``float``. | +----------------+--------------------------------------------------+ | ``str(x)`` | Convert ``x`` to a ``str`` (``unicode`` in py2) | +----------------+--------------------------------------------------+ If you want to provide a list of functions, but want to keep these as well, then you can do a normal python ``.copy()`` & ``.update``: .. code-block:: python >>> my_functions = simpleeval.DEFAULT_FUNCTIONS.copy() >>> my_functions.update( square=(lambda x:x*x), double=(lambda x:x+x), ) >>> simple_eval('square(randint(100))', functions=my_functions) Names ----- Sometimes it's useful to have variables available, which in python terminology are called 'names'. .. code-block:: python >>> simple_eval("a + b", names={"a": 11, "b": 100}) 111 You can also hand the handling of names over to a function, if you prefer: .. code-block:: python >>> def name_handler(node): return ord(node.id[0].lower(a))-96 >>> simple_eval('a + b', names=name_handler) 3 That was a bit of a silly example, but you could use this for pulling values from a database or file, say, or doing some kind of caching system. The two default names that are provided are ``True`` and ``False``. So if you want to provide your own names, but want ``True`` and ``False`` to keep working, either provide them yourself, or ``.copy()`` and ``.update`` the ``DEFAULT_NAMES``. (See functions example above). Creating an Evaluator Class --------------------------- Rather than creating a new evaluator each time, if you are doing a lot of evaluations, you can create a SimpleEval object, and pass it expressions each time (which should be a bit quicker, and certainly more convenient for some use cases): .. code-block:: python >>> s = SimpleEval() >>> s.eval("1 + 1") 2 >>> s.eval('100 * 10') 1000 # and so on... You can assign / edit the various options of the ``SimpleEval`` object if you want to. Either assign them during creation (like the ``simple_eval`` function) .. code-block:: python def boo(): return 'Boo!' s = SimpleEval(functions={"boo": boo}) or edit them after creation: .. code-block:: python s.names['fortytwo'] = 42 this actually means you can modify names (or functions) with functions, if you really feel so inclined: .. code-block:: python s = SimpleEval() def set_val(name, value): s.names[name.value] = value.value return value.value s.functions = {'set': set_val} s.eval("set('age', 111)") Say. This would allow a certain level of 'scriptyness' if you had these evaluations happening as callbacks in a program. Although you really are reaching the end of what this library is intended for at this stage. Compound Types -------------- Compound types (``dict``, ``tuple``, ``list``, ``set``) in general just work if you pass them in as named objects. If you want to allow creation of these, the ``EvalWithCompoundTypes`` class works. Just replace any use of ``SimpleEval`` with that. The ``EvalWithCompoundTypes`` class also contains support for simple comprehensions. eg: ``[x + 1 for x in [1,2,3]]``. There's a safety `MAX_COMPREHENSION_LENGTH` to control how many items it'll allow before bailing too. This also takes into account nested comprehensions. Since the primary intention of this library is short expressions - an extra 'sweetener' is enabled by default. You can access a dict (or similar's) keys using the .attr syntax: .. code-block:: python >>> simple_eval("foo.bar", names={"foo": {"bar": 42}}) 42 for instance. You can turn this off either by setting the module global `ATTR_INDEX_FALLBACK` to `False`, or on the ``SimpleEval`` instance itself. e.g. ``evaller.ATTR_INDEX_FALLBACK=False``. Extending --------- The ``SimpleEval`` class is pretty easy to extend. For instance, to create a version that disallows method invocation on objects: .. code-block:: python import ast import simpleeval class EvalNoMethods(simpleeval.SimpleEval): def _eval_call(self, node): if isinstance(node.func, ast.Attribute): raise simpleeval.FeatureNotAvailable("No methods please, we're British") return super(EvalNoMethods, self)._eval_call(node) and then use ``EvalNoMethods`` instead of the ``SimpleEval`` class. Other... -------- The library supports python 3 - but should be mostly compatible (and tested before 0.9.11) with python 2.7 as well. Object attributes that start with ``_`` or ``func_`` are disallowed by default. If you really need that (BE CAREFUL!), then modify the module global ``simpleeval.DISALLOW_PREFIXES``. A few builtin functions are listed in ``simpleeval.DISALLOW_FUNCTIONS``. ``type``, ``open``, etc. If you need to give access to this kind of functionality to your expressions, then be very careful. You'd be better wrapping the functions in your own safe wrappers. The initial idea came from J.F. Sebastian on Stack Overflow ( http://stackoverflow.com/a/9558001/1973500 ) with modifications and many improvements, see the head of the main file for contributors list. Please read the ``test_simpleeval.py`` file for other potential gotchas or details. I'm very happy to accept pull requests, suggestions, or other issues. Enjoy! Developing ---------- Run tests:: $ make test Or to set the tests running on every file change: $ make autotest (requires ``entr``) BEWARE ------ I've done the best I can with this library - but there's no warrenty, no guarentee, nada. A lot of very clever people think the whole idea of trying to sandbox CPython is impossible. Read the code yourself, and use it at your own risk. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634962310.0 simpleeval-0.9.11/simpleeval.egg-info/SOURCES.txt0000644000076500000240000000041400000000000022041 0ustar00danielstaff00000000000000.coveragerc .gitignore .travis.yml LICENCE MANIFEST.in Makefile README.rst pyproject.toml setup.cfg simpleeval.py test_simpleeval.py simpleeval.egg-info/PKG-INFO simpleeval.egg-info/SOURCES.txt simpleeval.egg-info/dependency_links.txt simpleeval.egg-info/top_level.txt././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634962310.0 simpleeval-0.9.11/simpleeval.egg-info/dependency_links.txt0000644000076500000240000000000100000000000024224 0ustar00danielstaff00000000000000 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634962310.0 simpleeval-0.9.11/simpleeval.egg-info/top_level.txt0000644000076500000240000000001300000000000022702 0ustar00danielstaff00000000000000simpleeval ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634905867.0 simpleeval-0.9.11/simpleeval.py0000644000076500000240000005250000000000000017040 0ustar00danielstaff00000000000000""" SimpleEval - (C) 2013-2019 Daniel Fairhead ------------------------------------- An short, easy to use, safe and reasonably extensible expression evaluator. Designed for things like in a website where you want to allow the user to generate a string, or a number from some other input, without allowing full eval() or other unsafe or needlessly complex linguistics. ------------------------------------- Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ------------------------------------- Initial idea copied from J.F. Sebastian on Stack Overflow ( http://stackoverflow.com/a/9558001/1973500 ) with modifications and many improvements. ------------------------------------- Contributors: - corro (Robin Baumgartner) (py3k) - dratchkov (David R) (nested dicts) - marky1991 (Mark Young) (slicing) - T045T (Nils Berg) (!=, py3kstr, obj. - perkinslr (Logan Perkins) (.__globals__ or .func_ breakouts) - impala2 (Kirill Stepanov) (massive _eval refactor) - gk (ugik) (Other iterables than str can DOS too, and can be made) - daveisfera (Dave Johansen) 'not' Boolean op, Pycharm, pep8, various other fixes - xaled (Khalid Grandi) method chaining correctly, double-eval bugfix. - EdwardBetts (Edward Betts) spelling correction. - charlax (Charles-Axel Dein charlax) Makefile and cleanups - mommothazaz123 (Andrew Zhu) f"string" support, Python 3.8 support - lubieowoce (Uryga) various potential vulnerabilities - JCavallo (Jean Cavallo) names dict shouldn't be modified - Birne94 (Daniel Birnstiel) for fixing leaking generators. - patricksurry (Patrick Surry) or should return last value, even if falsy. - shughes-uk (Samantha Hughes) python w/o 'site' should not fail to import. - KOLANICH packaging / deployment / setup help - graingert (Thomas Grainger) packaging / deployment / setup help ------------------------------------- Basic Usage: >>> s = SimpleEval() >>> s.eval("20 + 30") 50 You can add your own functions easily too: if file.txt contents is "11" >>> def get_file(): ... with open("file.txt", 'r') as f: ... return f.read() >>> s.functions["get_file"] = get_file >>> s.eval("int(get_file()) + 31") 42 For more information, see the full package documentation on pypi, or the github repo. ----------- If you don't need to re-use the evaluator (with it's names, functions, etc), then you can use the simple_eval() function: >>> simple_eval("21 + 19") 40 You can pass names, operators and functions to the simple_eval function as well: >>> simple_eval("40 + two", names={"two": 2}) 42 """ import ast import operator as op import sys import warnings from random import random PYTHON3 = sys.version_info[0] == 3 ######################################## # Module wide 'globals' MAX_STRING_LENGTH = 100000 MAX_COMPREHENSION_LENGTH = 10000 MAX_POWER = 4000000 # highest exponent DISALLOW_PREFIXES = ['_', 'func_'] DISALLOW_METHODS = ['format', 'format_map', 'mro'] # Disallow functions: # This, strictly speaking, is not necessary. These /should/ never be accessable anyway, # if DISALLOW_PREFIXES and DISALLOW_METHODS are all right. This is here to try and help # people not be stupid. Allowing these functions opens up all sorts of holes - if any of # their functionality is required, then please wrap them up in a safe container. And think # very hard about it first. And don't say I didn't warn you. # builtins is a dict in python >3.6 but a module before DISALLOW_FUNCTIONS = { type, isinstance, eval, getattr, setattr, repr, compile, open } if hasattr(__builtins__, 'help') or \ (hasattr(__builtins__, '__contains__') and 'help' in __builtins__): # PyInstaller environment doesn't include this module. DISALLOW_FUNCTIONS.add(help) if PYTHON3: exec('DISALLOW_FUNCTIONS.add(exec)') # exec is not a function in Python2... ######################################## # Exceptions: class InvalidExpression(Exception): """ Generic Exception """ pass class FunctionNotDefined(InvalidExpression): """ sorry! That function isn't defined! """ def __init__(self, func_name, expression): self.message = "Function '{0}' not defined," \ " for expression '{1}'.".format(func_name, expression) setattr(self, 'func_name', func_name) # bypass 2to3 confusion. self.expression = expression # pylint: disable=bad-super-call super(InvalidExpression, self).__init__(self.message) class NameNotDefined(InvalidExpression): """ a name isn't defined. """ def __init__(self, name, expression): self.name = name self.message = "'{0}' is not defined for expression '{1}'".format( name, expression) self.expression = expression # pylint: disable=bad-super-call super(InvalidExpression, self).__init__(self.message) class AttributeDoesNotExist(InvalidExpression): """attribute does not exist""" def __init__(self, attr, expression): self.message = \ "Attribute '{0}' does not exist in expression '{1}'".format( attr, expression) self.attr = attr self.expression = expression class FeatureNotAvailable(InvalidExpression): """ What you're trying to do is not allowed. """ pass class NumberTooHigh(InvalidExpression): """ Sorry! That number is too high. I don't want to spend the next 10 years evaluating this expression! """ pass class IterableTooLong(InvalidExpression): """ That iterable is **way** too long, baby. """ pass class AssignmentAttempted(UserWarning): pass ######################################## # Default simple functions to include: def random_int(top): """ return a random int below """ return int(random() * top) def safe_power(a, b): # pylint: disable=invalid-name """ a limited exponent/to-the-power-of function, for safety reasons """ if abs(a) > MAX_POWER or abs(b) > MAX_POWER: raise NumberTooHigh("Sorry! I don't want to evaluate {0} ** {1}" .format(a, b)) return a ** b def safe_mult(a, b): # pylint: disable=invalid-name """ limit the number of times an iterable can be repeated... """ if hasattr(a, '__len__') and b * len(a) > MAX_STRING_LENGTH: raise IterableTooLong('Sorry, I will not evalute something that long.') if hasattr(b, '__len__') and a * len(b) > MAX_STRING_LENGTH: raise IterableTooLong('Sorry, I will not evalute something that long.') return a * b def safe_add(a, b): # pylint: disable=invalid-name """ iterable length limit again """ if hasattr(a, '__len__') and hasattr(b, '__len__'): if len(a) + len(b) > MAX_STRING_LENGTH: raise IterableTooLong("Sorry, adding those two together would" " make something too long.") return a + b ######################################## # Defaults for the evaluator: DEFAULT_OPERATORS = {ast.Add: safe_add, ast.Sub: op.sub, ast.Mult: safe_mult, ast.Div: op.truediv, ast.FloorDiv: op.floordiv, ast.Pow: safe_power, ast.Mod: op.mod, ast.Eq: op.eq, ast.NotEq: op.ne, ast.Gt: op.gt, ast.Lt: op.lt, ast.GtE: op.ge, ast.LtE: op.le, ast.Not: op.not_, ast.USub: op.neg, ast.UAdd: op.pos, ast.In: lambda x, y: op.contains(y, x), ast.NotIn: lambda x, y: not op.contains(y, x), ast.Is: lambda x, y: x is y, ast.IsNot: lambda x, y: x is not y, } DEFAULT_FUNCTIONS = {"rand": random, "randint": random_int, "int": int, "float": float, "str": str if PYTHON3 else unicode} DEFAULT_NAMES = {"True": True, "False": False, "None": None} ATTR_INDEX_FALLBACK = True ######################################## # And the actual evaluator: class SimpleEval(object): # pylint: disable=too-few-public-methods """ A very simple expression parser. >>> s = SimpleEval() >>> s.eval("20 + 30 - ( 10 * 5)") 0 """ expr = "" def __init__(self, operators=None, functions=None, names=None): """ Create the evaluator instance. Set up valid operators (+,-, etc) functions (add, random, get_val, whatever) and names. """ if not operators: operators = DEFAULT_OPERATORS.copy() if not functions: functions = DEFAULT_FUNCTIONS.copy() if not names: names = DEFAULT_NAMES.copy() self.operators = operators self.functions = functions self.names = names self.nodes = { ast.Expr: self._eval_expr, ast.Assign: self._eval_assign, ast.AugAssign: self._eval_aug_assign, ast.Import: self._eval_import, ast.Num: self._eval_num, ast.Str: self._eval_str, ast.Name: self._eval_name, ast.UnaryOp: self._eval_unaryop, ast.BinOp: self._eval_binop, ast.BoolOp: self._eval_boolop, ast.Compare: self._eval_compare, ast.IfExp: self._eval_ifexp, ast.Call: self._eval_call, ast.keyword: self._eval_keyword, ast.Subscript: self._eval_subscript, ast.Attribute: self._eval_attribute, ast.Index: self._eval_index, ast.Slice: self._eval_slice, } # py3k stuff: if hasattr(ast, 'NameConstant'): self.nodes[ast.NameConstant] = self._eval_constant # py3.6, f-strings if hasattr(ast, 'JoinedStr'): self.nodes[ast.JoinedStr] = self._eval_joinedstr # f-string self.nodes[ast.FormattedValue] = self._eval_formattedvalue # formatted value in f-string # py3.8 uses ast.Constant instead of ast.Num, ast.Str, ast.NameConstant if hasattr(ast, 'Constant'): self.nodes[ast.Constant] = self._eval_constant # Defaults: self.ATTR_INDEX_FALLBACK = ATTR_INDEX_FALLBACK # Check for forbidden functions: for f in self.functions.values(): if f in DISALLOW_FUNCTIONS: raise FeatureNotAvailable('This function {} is a really bad idea.'.format(f)) def eval(self, expr): """ evaluate an expresssion, using the operators, functions and names previously set up. """ # set a copy of the expression aside, so we can give nice errors... self.expr = expr # and evaluate: return self._eval(ast.parse(expr.strip()).body[0]) def _eval(self, node): """ The internal evaluator used on each node in the parsed tree. """ try: handler = self.nodes[type(node)] except KeyError: raise FeatureNotAvailable("Sorry, {0} is not available in this " "evaluator".format(type(node).__name__)) return handler(node) def _eval_expr(self, node): return self._eval(node.value) def _eval_assign(self, node): warnings.warn("Assignment ({}) attempted, but this is ignored".format(self.expr), AssignmentAttempted) return self._eval(node.value) def _eval_aug_assign(self, node): warnings.warn("Assignment ({}) attempted, but this is ignored".format(self.expr), AssignmentAttempted) return self._eval(node.value) def _eval_import(self, node): raise FeatureNotAvailable("Sorry, 'import' is not allowed.") return self._eval(node.value) @staticmethod def _eval_num(node): return node.n @staticmethod def _eval_str(node): if len(node.s) > MAX_STRING_LENGTH: raise IterableTooLong("String Literal in statement is too long!" " ({0}, when {1} is max)".format( len(node.s), MAX_STRING_LENGTH)) return node.s @staticmethod def _eval_constant(node): if hasattr(node.value, '__len__') and len(node.value) > MAX_STRING_LENGTH: raise IterableTooLong("Literal in statement is too long!" " ({0}, when {1} is max)".format(len(node.value), MAX_STRING_LENGTH)) return node.value def _eval_unaryop(self, node): return self.operators[type(node.op)](self._eval(node.operand)) def _eval_binop(self, node): return self.operators[type(node.op)](self._eval(node.left), self._eval(node.right)) def _eval_boolop(self, node): if isinstance(node.op, ast.And): vout = False for value in node.values: vout = self._eval(value) if not vout: return vout return vout elif isinstance(node.op, ast.Or): for value in node.values: vout = self._eval(value) if vout: return vout return vout def _eval_compare(self, node): right = self._eval(node.left) to_return = True for operation, comp in zip(node.ops, node.comparators): if not to_return: break left = right right = self._eval(comp) to_return = self.operators[type(operation)](left, right) return to_return def _eval_ifexp(self, node): return self._eval(node.body) if self._eval(node.test) \ else self._eval(node.orelse) def _eval_call(self, node): if isinstance(node.func, ast.Attribute): func = self._eval(node.func) else: try: func = self.functions[node.func.id] except KeyError: raise FunctionNotDefined(node.func.id, self.expr) except AttributeError as e: raise FeatureNotAvailable('Lambda Functions not implemented') if func in DISALLOW_FUNCTIONS: raise FeatureNotAvailable('This function is forbidden') return func( *(self._eval(a) for a in node.args), **dict(self._eval(k) for k in node.keywords) ) def _eval_keyword(self, node): return node.arg, self._eval(node.value) def _eval_name(self, node): try: # This happens at least for slicing # This is a safe thing to do because it is impossible # that there is a true exression assigning to none # (the compiler rejects it, so you can't even # pass that to ast.parse) if hasattr(self.names, '__getitem__'): return self.names[node.id] elif callable(self.names): return self.names(node) else: raise InvalidExpression('Trying to use name (variable) "{0}"' ' when no "names" defined for' ' evaluator'.format(node.id)) except KeyError: if node.id in self.functions: return self.functions[node.id] raise NameNotDefined(node.id, self.expr) def _eval_subscript(self, node): container = self._eval(node.value) key = self._eval(node.slice) try: return container[key] except KeyError: raise def _eval_attribute(self, node): for prefix in DISALLOW_PREFIXES: if node.attr.startswith(prefix): raise FeatureNotAvailable( "Sorry, access to __attributes " " or func_ attributes is not available. " "({0})".format(node.attr)) if node.attr in DISALLOW_METHODS: raise FeatureNotAvailable( "Sorry, this method is not available. " "({0})".format(node.attr)) # eval node node_evaluated = self._eval(node.value) # Maybe the base object is an actual object, not just a dict try: return getattr(node_evaluated, node.attr) except (AttributeError, TypeError): pass # TODO: is this a good idea? Try and look for [x] if .x doesn't work? if self.ATTR_INDEX_FALLBACK: try: return node_evaluated[node.attr] except (KeyError, TypeError): pass # If it is neither, raise an exception raise AttributeDoesNotExist(node.attr, self.expr) def _eval_index(self, node): return self._eval(node.value) def _eval_slice(self, node): lower = upper = step = None if node.lower is not None: lower = self._eval(node.lower) if node.upper is not None: upper = self._eval(node.upper) if node.step is not None: step = self._eval(node.step) return slice(lower, upper, step) def _eval_joinedstr(self, node): length = 0 evaluated_values = [] for n in node.values: val = str(self._eval(n)) if len(val) + length > MAX_STRING_LENGTH: raise IterableTooLong("Sorry, I will not evaluate something this long.") evaluated_values.append(val) return ''.join(evaluated_values) def _eval_formattedvalue(self, node): if node.format_spec: fmt = "{:" + self._eval(node.format_spec) + "}" return fmt.format(self._eval(node.value)) return self._eval(node.value) class EvalWithCompoundTypes(SimpleEval): """ SimpleEval with additional Compound Types, and their respective function editions. (list, tuple, dict, set). """ def __init__(self, operators=None, functions=None, names=None): super(EvalWithCompoundTypes, self).__init__(operators, functions, names) self.functions.update( list=list, tuple=tuple, dict=dict, set=set) self.nodes.update({ ast.Dict: self._eval_dict, ast.Tuple: self._eval_tuple, ast.List: self._eval_list, ast.Set: self._eval_set, ast.ListComp: self._eval_comprehension, ast.GeneratorExp: self._eval_comprehension, }) def eval(self, expr): self._max_count = 0 return super(EvalWithCompoundTypes, self).eval(expr) def _eval_dict(self, node): return {self._eval(k): self._eval(v) for (k, v) in zip(node.keys, node.values)} def _eval_tuple(self, node): return tuple(self._eval(x) for x in node.elts) def _eval_list(self, node): return list(self._eval(x) for x in node.elts) def _eval_set(self, node): return set(self._eval(x) for x in node.elts) def _eval_comprehension(self, node): to_return = [] extra_names = {} previous_name_evaller = self.nodes[ast.Name] def eval_names_extra(node): """ Here we hide our extra scope for within this comprehension """ if node.id in extra_names: return extra_names[node.id] return previous_name_evaller(node) self.nodes.update({ast.Name: eval_names_extra}) def recurse_targets(target, value): """ Recursively (enter, (into, (nested, name), unpacking)) = \ and, (assign, (values, to), each """ if isinstance(target, ast.Name): extra_names[target.id] = value else: for t, v in zip(target.elts, value): recurse_targets(t, v) def do_generator(gi=0): g = node.generators[gi] for i in self._eval(g.iter): self._max_count += 1 if self._max_count > MAX_COMPREHENSION_LENGTH: raise IterableTooLong('Comprehension generates too many elements') recurse_targets(g.target, i) if all(self._eval(iff) for iff in g.ifs): if len(node.generators) > gi + 1: do_generator(gi+1) else: to_return.append(self._eval(node.elt)) try: do_generator() finally: self.nodes.update({ast.Name: previous_name_evaller}) return to_return def simple_eval(expr, operators=None, functions=None, names=None): """ Simply evaluate an expresssion """ s = SimpleEval(operators=operators, functions=functions, names=names) return s.eval(expr) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1634905022.0 simpleeval-0.9.11/test_simpleeval.py0000644000076500000240000010067300000000000020104 0ustar00danielstaff00000000000000""" Unit tests for simpleeval. -------------------------- Most of this stuff is pretty basic. """ # pylint: disable=too-many-public-methods, missing-docstring import sys import unittest import operator import ast import simpleeval import os import warnings from simpleeval import ( SimpleEval, EvalWithCompoundTypes, FeatureNotAvailable, FunctionNotDefined, NameNotDefined, InvalidExpression, AttributeDoesNotExist, simple_eval ) class DRYTest(unittest.TestCase): """ Stuff we need to do every test, let's do here instead.. Don't Repeat Yourself. """ def setUp(self): """ initialize a SimpleEval """ self.s = SimpleEval() def t(self, expr, shouldbe): # pylint: disable=invalid-name """ test an evaluation of an expression against an expected answer """ return self.assertEqual(self.s.eval(expr), shouldbe) class TestBasic(DRYTest): """ Simple expressions. """ def test_maths_with_ints(self): """ simple maths expressions """ self.t("21 + 21", 42) self.t("6*7", 42) self.t("20 + 1 + (10*2) + 1", 42) self.t("100/10", 10) self.t("12*12", 144) self.t("2 ** 10", 1024) self.t("100 % 9", 1) def test_bools_and_or(self): self.t('True and ""', "") self.t('True and False', False) self.t('True or False', True) self.t('False or False', False) self.t('1 - 1 or 21', 21) self.t('1 - 1 and 11', 0) self.t('110 == 100 + 10 and True', True) self.t('110 != 100 + 10 and True', False) self.t('False or 42', 42) self.t('False or None', None) self.t('None or None', None) self.s.names = {'out': True, 'position': 3} self.t('(out and position <=6 and -10)' ' or (out and position > 6 and -5)' ' or (not out and 15)', -10) def test_not(self): self.t('not False', True) self.t('not True', False) self.t('not 0', True) self.t('not 1', False) def test_maths_with_floats(self): self.t("11.02 - 9.1", 1.92) self.t("29.1+39", 68.1) def test_comparisons(self): # GT & LT: self.t("1 > 0", True) self.t("100000 < 28", False) self.t("-2 < 11", True) self.t("+2 < 5", True) self.t("0 == 0", True) # GtE, LtE self.t("-2 <= -2", True) self.t("2 >= 2", True) self.t("1 >= 12", False) self.t("1.09 <= 1967392", True) self.t('1 < 2 < 3 < 4', 1 < 2 < 3 < 4) self.t('1 < 2 > 3 < 4', 1 < 2 > 3 < 4) self.t('1<2<1+1', 1 < 2 < 1 + 1) self.t('1 == 1 == 2', 1 == 1 == 2) self.t('1 == 1 < 2', 1 == 1 < 2) def test_mixed_comparisons(self): self.t("1 > 0.999999", True) self.t("1 == True", True) # Note ==, not 'is'. self.t("0 == False", True) # Note ==, not 'is'. self.t("False == False", True) self.t("False < True", True) def test_if_else(self): """ x if y else z """ # and test if/else expressions: self.t("'a' if 1 == 1 else 'b'", 'a') self.t("'a' if 1 > 2 else 'b'", 'b') # and more complex expressions: self.t("'a' if 4 < 1 else 'b' if 1 == 2 else 'c'", 'c') def test_default_conversions(self): """ conversion between types """ self.t('int("20") + int(0.22*100)', 42) self.t('float("42")', 42.0) self.t('"Test Stuff!" + str(11)', "Test Stuff!11") def test_slicing(self): self.s.operators[ast.Slice] = (operator.getslice if hasattr(operator, "getslice") else operator.getitem) self.t("'hello'[1]", "e") self.t("'hello'[:]", "hello") self.t("'hello'[:3]", "hel") self.t("'hello'[3:]", "lo") self.t("'hello'[::2]", "hlo") self.t("'hello'[::-1]", "olleh") self.t("'hello'[3::]", "lo") self.t("'hello'[:3:]", "hel") self.t("'hello'[1:3]", "el") self.t("'hello'[1:3:]", "el") self.t("'hello'[1::2]", "el") self.t("'hello'[:1:2]", "h") self.t("'hello'[1:3:1]", "el") self.t("'hello'[1:3:2]", "e") with self.assertRaises(IndexError): self.t("'hello'[90]", 0) self.t('"spam" not in "my breakfast"', True) self.t('"silly" in "ministry of silly walks"', True) self.t('"I" not in "team"', True) self.t('"U" in "RUBBISH"', True) def test_is(self): self.t('1 is 1', True) self.t('1 is 2', False) self.t('1 is "a"', False) self.t('1 is None', False) self.t('None is None', True) self.t('1 is not 1', False) self.t('1 is not 2', True) self.t('1 is not "a"', True) self.t('1 is not None', True) self.t('None is not None', False) def test_fstring(self): if sys.version_info >= (3, 6, 0): self.t('f""', "") self.t('f"stuff"', "stuff") self.t('f"one is {1} and two is {2}"', "one is 1 and two is 2") self.t('f"1+1 is {1+1}"', "1+1 is 2") self.t('f"{\'dramatic\':!<11}"', "dramatic!!!") def test_set_not_allowed(self): with self.assertRaises(FeatureNotAvailable): self.t('{22}', False) class TestFunctions(DRYTest): """ Functions for expressions to play with """ def test_load_file(self): """ add in a function which loads data from an external file. """ # write to the file: with open("testfile.txt", 'w') as f: f.write("42") # define the function we'll send to the eval'er def load_file(filename): """ load a file and return its contents """ with open(filename) as f2: return f2.read() # simple load: self.s.functions = {"read": load_file} self.t("read('testfile.txt')", "42") # and we should have *replaced* the default functions. Let's check: with self.assertRaises(simpleeval.FunctionNotDefined): self.t("int(read('testfile.txt'))", 42) # OK, so we can load in the default functions as well... self.s.functions.update(simpleeval.DEFAULT_FUNCTIONS) # now it works: self.t("int(read('testfile.txt'))", 42) os.remove('testfile.txt') def test_randoms(self): """ test the rand() and randint() functions """ i = self.s.eval('randint(1000)') self.assertEqual(type(i), int) self.assertLessEqual(i, 1000) f = self.s.eval('rand()') self.assertEqual(type(f), float) self.t("randint(20)<20", True) self.t("rand()<1.0", True) # I don't know how to further test these functions. Ideas? def test_methods(self): self.t('"WORD".lower()', 'word') x = simpleeval.DISALLOW_METHODS simpleeval.DISALLOW_METHODS = [] self.t('"{}:{}".format(1, 2)', '1:2') simpleeval.DISALLOW_METHODS = x def test_function_args_none(self): def foo(): return 42 self.s.functions['foo'] = foo self.t('foo()', 42) def test_function_args_required(self): def foo(toret): return toret self.s.functions['foo'] = foo with self.assertRaises(TypeError): self.t('foo()', 42) self.t('foo(12)', 12) self.t('foo(toret=100)', 100) def test_function_args_defaults(self): def foo(toret=9999): return toret self.s.functions['foo'] = foo self.t('foo()', 9999) self.t('foo(12)', 12) self.t('foo(toret=100)', 100) def test_function_args_bothtypes(self): def foo(mult, toret=100): return toret * mult self.s.functions['foo'] = foo with self.assertRaises(TypeError): self.t('foo()', 9999) self.t('foo(2)', 200) with self.assertRaises(TypeError): self.t('foo(toret=100)', 100) self.t('foo(4, toret=4)', 16) self.t('foo(mult=2, toret=4)', 8) self.t('foo(2, 10)', 20) class TestOperators(DRYTest): """ Test adding in new operators, removing them, make sure it works. """ # TODO pass class TestNewFeatures(DRYTest): """ Tests which will break when new features are added...""" def test_lambda(self): with self.assertRaises(FeatureNotAvailable): self.t('lambda x:22', None) def test_lambda_application(self): with self.assertRaises(FeatureNotAvailable): self.t('(lambda x:22)(44)', None) class TestTryingToBreakOut(DRYTest): """ Test various weird methods to break the security sandbox... """ def test_import(self): """ usual suspect. import """ # cannot import things: with self.assertRaises(FeatureNotAvailable): self.t("import sys", None) def test_long_running(self): """ exponent operations can take a long time. """ old_max = simpleeval.MAX_POWER self.t("9**9**5", 9 ** 9 ** 5) with self.assertRaises(simpleeval.NumberTooHigh): self.t("9**9**8", 0) # and does limiting work? simpleeval.MAX_POWER = 100 with self.assertRaises(simpleeval.NumberTooHigh): self.t("101**2", 0) # good, so set it back: simpleeval.MAX_POWER = old_max def test_encode_bignums(self): # thanks gk if hasattr(1, 'from_bytes'): # python3 only with self.assertRaises(simpleeval.IterableTooLong): self.t('(1).from_bytes(("123123123123123123123123").encode()*999999, "big")', 0) def test_string_length(self): with self.assertRaises(simpleeval.IterableTooLong): self.t("50000*'text'", 0) with self.assertRaises(simpleeval.IterableTooLong): self.t("'text'*50000", 0) with self.assertRaises(simpleeval.IterableTooLong): self.t("('text'*50000)*1000", 0) with self.assertRaises(simpleeval.IterableTooLong): self.t("(50000*'text')*1000", 0) self.t("'stuff'*20000", 20000 * 'stuff') self.t("20000*'stuff'", 20000 * 'stuff') with self.assertRaises(simpleeval.IterableTooLong): self.t("('stuff'*20000) + ('stuff'*20000) ", 0) with self.assertRaises(simpleeval.IterableTooLong): self.t("'stuff'*100000", 100000 * 'stuff') with self.assertRaises(simpleeval.IterableTooLong): self.t("'" + (10000 * "stuff") + "'*100", 0) with self.assertRaises(simpleeval.IterableTooLong): self.t("'" + (50000 * "stuff") + "'", 0) if sys.version_info >= (3, 6, 0): with self.assertRaises(simpleeval.IterableTooLong): self.t("f'{\"foo\"*50000}'", 0) def test_bytes_array_test(self): self.t("'20000000000000000000'.encode() * 5000", '20000000000000000000'.encode() * 5000) with self.assertRaises(simpleeval.IterableTooLong): self.t("'123121323123131231223'.encode() * 5000", 20) def test_list_length_test(self): self.t("'spam spam spam'.split() * 5000", ['spam', 'spam', 'spam'] * 5000) with self.assertRaises(simpleeval.IterableTooLong): self.t("('spam spam spam' * 5000).split() * 5000", None) def test_python_stuff(self): """ other various pythony things. """ # it only evaluates the first statement: self.t("11; x = 21; x + x", 11) def test_function_globals_breakout(self): """ by accessing function.__globals__ or func_... """ # thanks perkinslr. self.s.functions['x'] = lambda y: y + y self.t('x(100)', 200) with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('x.__globals__', None) class EscapeArtist(object): @staticmethod def trapdoor(): return 42 @staticmethod def _quasi_private(): return 84 self.s.names['houdini'] = EscapeArtist() with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('houdini.trapdoor.__globals__', 0) with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('houdini.trapdoor.func_globals', 0) with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('houdini._quasi_private()', 0) # and test for changing '_' to '__': dis = simpleeval.DISALLOW_PREFIXES simpleeval.DISALLOW_PREFIXES = ['func_'] self.t('houdini.trapdoor()', 42) self.t('houdini._quasi_private()', 84) # and return things to normal simpleeval.DISALLOW_PREFIXES = dis def test_mro_breakout(self): class Blah(object): x = 42 self.s.names['b'] = Blah with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('b.mro()', None) def test_builtins_private_access(self): # explicit attempt of the exploit from perkinslr with self.assertRaises(simpleeval.FeatureNotAvailable): self.t("True.__class__.__class__.__base__.__subclasses__()[-1]" ".__init__.func_globals['sys'].exit(1)", 42) def test_string_format(self): # python has so many ways to break out! with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('"{string.__class__}".format(string="things")', 0) with self.assertRaises(simpleeval.FeatureNotAvailable): self.s.names['x'] = {"a": 1} self.t('"{a.__class__}".format_map(x)', 0) if sys.version_info >= (3, 6, 0): self.s.names['x'] = 42 with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('f"{x.__class__}"', 0) self.s.names['x'] = lambda y: y with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('f"{x.__globals__}"', 0) class EscapeArtist(object): @staticmethod def trapdoor(): return 42 @staticmethod def _quasi_private(): return 84 self.s.names['houdini'] = EscapeArtist() # let's just retest this, but in a f-string with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('f"{houdini.trapdoor.__globals__}"', 0) with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('f"{houdini.trapdoor.func_globals}"', 0) with self.assertRaises(simpleeval.FeatureNotAvailable): self.t('f"{houdini._quasi_private()}"', 0) # and test for changing '_' to '__': dis = simpleeval.DISALLOW_PREFIXES simpleeval.DISALLOW_PREFIXES = ['func_'] self.t('f"{houdini.trapdoor()}"', "42") self.t('f"{houdini._quasi_private()}"', "84") # and return things to normal simpleeval.DISALLOW_PREFIXES = dis class TestCompoundTypes(DRYTest): """ Test the compound-types edition of the library """ def setUp(self): self.s = EvalWithCompoundTypes() def test_dict(self): self.t('{}', {}) self.t('{"foo": "bar"}', {'foo': 'bar'}) self.t('{"foo": "bar"}["foo"]', 'bar') self.t('dict()', {}) self.t('dict(a=1)', {'a': 1}) def test_dict_contains(self): self.t('{"a":22}["a"]', 22) with self.assertRaises(KeyError): self.t('{"a":22}["b"]', 22) self.t('{"a": 24}.get("b", 11)', 11) self.t('"a" in {"a": 24}', True) def test_tuple(self): self.t('()', ()) self.t('(1,)', (1,)) self.t('(1, 2, 3, 4, 5, 6)', (1, 2, 3, 4, 5, 6)) self.t('(1, 2) + (3, 4)', (1, 2, 3, 4)) self.t('(1, 2, 3)[1]', 2) self.t('tuple()', ()) self.t('tuple("foo")', ('f', 'o', 'o')) def test_tuple_contains(self): self.t('("a","b")[1]', 'b') with self.assertRaises(IndexError): self.t('("a","b")[5]', 'b') self.t('"a" in ("b","c","a")', True) def test_list(self): self.t('[]', []) self.t('[1]', [1]) self.t('[1, 2, 3, 4, 5]', [1, 2, 3, 4, 5]) self.t('[1, 2, 3][1]', 2) self.t('list()', []) self.t('list("foo")', ['f', 'o', 'o']) def test_list_contains(self): self.t('["a","b"][1]', 'b') with self.assertRaises(IndexError): self.t('("a","b")[5]', 'b') self.t('"b" in ["a","b"]', True) def test_set(self): self.t('{1}', {1}) self.t('{1, 2, 1, 2, 1, 2, 1}', {1, 2}) self.t('set()', set()) self.t('set("foo")', {'f', 'o'}) self.t('2 in {1,2,3,4}', True) self.t('22 not in {1,2,3,4}', True) def test_not(self): self.t('not []', True) self.t('not [0]', False) self.t('not {}', True) self.t('not {0: 1}', False) self.t('not {0}', False) def test_use_func(self): self.s = EvalWithCompoundTypes(functions={"map": map, "str": str}) self.t('list(map(str, [-1, 0, 1]))', ['-1', '0', '1']) with self.assertRaises(NameNotDefined): self.s.eval('list(map(bad, [-1, 0, 1]))') with self.assertRaises(FunctionNotDefined): self.s.eval('dir(str)') with self.assertRaises(FeatureNotAvailable): self.s.eval('str.__dict__') self.s = EvalWithCompoundTypes(functions={"dir": dir, "str": str}) self.t('dir(str)', dir(str)) class TestComprehensions(DRYTest): """ Test the comprehensions support of the compound-types edition of the class. """ def setUp(self): self.s = EvalWithCompoundTypes() def test_basic(self): self.t('[a + 1 for a in [1,2,3]]', [2,3,4]) def test_with_self_reference(self): self.t('[a + a for a in [1,2,3]]', [2,4,6]) def test_with_if(self): self.t('[a for a in [1,2,3,4,5] if a <= 3]', [1,2,3]) def test_with_multiple_if(self): self.t('[a for a in [1,2,3,4,5] if a <= 3 and a > 1 ]', [2,3]) def test_attr_access_fails(self): with self.assertRaises(FeatureNotAvailable): self.t('[a.__class__ for a in [1,2,3]]', None) def test_unpack(self): self.t('[a+b for a,b in ((1,2),(3,4))]', [3, 7]) def test_nested_unpack(self): self.t('[a+b+c for a, (b, c) in ((1,(1,1)),(3,(2,2)))]', [3, 7]) def test_other_places(self): self.s.functions = {'sum': sum} self.t('sum([a+1 for a in [1,2,3,4,5]])', 20) self.t('sum(a+1 for a in [1,2,3,4,5])', 20) def test_external_names_work(self): self.s.names = {'x': [22, 102, 12.3]} self.t('[a/2 for a in x]', [11.0, 51.0, 6.15]) self.s.names = lambda x: ord(x.id) self.t('[a + a for a in [b, c, d]]', [ord(x) * 2 for x in 'bcd']) def test_multiple_generators(self): self.s.functions = {'range': range} s = '[j for i in range(100) if i > 10 for j in range(i) if j < 20]' self.t(s, eval(s)) def test_triple_generators(self): self.s.functions = {'range': range} s = '[(a,b,c) for a in range(4) for b in range(a) for c in range(b)]' self.t(s, eval(s)) def test_too_long_generator(self): self.s.functions = {'range': range} s = '[j for i in range(1000) if i > 10 for j in range(i) if j < 20]' with self.assertRaises(simpleeval.IterableTooLong): self.s.eval(s) def test_too_long_generator_2(self): self.s.functions = {'range': range} s = '[j for i in range(100) if i > 1 for j in range(i+10) if j < 100 for k in range(i*j)]' with self.assertRaises(simpleeval.IterableTooLong): self.s.eval(s) def test_nesting_generators_to_cheat(self): self.s.functions = {'range': range} s = '[[[c for c in range(a)] for a in range(b)] for b in range(200)]' with self.assertRaises(simpleeval.IterableTooLong): self.s.eval(s) def test_no_leaking_names(self): # see issue #52, failing list comprehensions could leak locals with self.assertRaises(simpleeval.NameNotDefined): self.s.eval('[x if x == "2" else y for x in "123"]') with self.assertRaises(simpleeval.NameNotDefined): self.s.eval('x') class TestNames(DRYTest): """ 'names', what other languages call variables... """ def test_none(self): """ what to do when names isn't defined, or is 'none' """ with self.assertRaises(NameNotDefined): self.t("a == 2", None) self.s.names["s"] = 21 with self.assertRaises(NameNotDefined): with warnings.catch_warnings(record=True) as ws: self.t("s += a", 21) self.s.names = None with self.assertRaises(InvalidExpression): self.t('s', 21) self.s.names = {'a': {'b': {'c': 42}}} with self.assertRaises(AttributeDoesNotExist): self.t('a.b.d**2', 42) def test_dict(self): """ using a normal dict for names lookup """ self.s.names = {'a': 42} self.t("a + a", 84) self.s.names['also'] = 100 self.t("a + also - a", 100) # however, you can't assign to those names: with warnings.catch_warnings(record=True) as ws: self.t("a = 200", 200) self.assertEqual(self.s.names['a'], 42) # or assign to lists self.s.names['b'] = [0] with warnings.catch_warnings(record=True) as ws: self.t("b[0] = 11", 11) self.assertEqual(self.s.names['b'], [0]) # but you can get items from a list: self.s.names['b'] = [6, 7] self.t("b[0] * b[1]", 42) # or from a dict self.s.names['c'] = {'i': 11} self.t("c['i']", 11) self.t("c.get('i')", 11) self.t("c.get('j', 11)", 11) self.t("c.get('j')", None) # you still can't assign though: with warnings.catch_warnings(record=True) as ws: self.t("c['b'] = 99", 99) self.assertFalse('b' in self.s.names['c']) # and going all 'inception' on it doesn't work either: self.s.names['c']['c'] = {'c': 11} with warnings.catch_warnings(record=True) as ws: self.t("c['c']['c'] = 21", 21) self.assertEqual(self.s.names['c']['c']['c'], 11) def test_dict_attr_access(self): # nested dict self.assertEqual(self.s.ATTR_INDEX_FALLBACK, True) self.s.names = {'a': {'b': {'c': 42}}} self.t("a.b.c*2", 84) with warnings.catch_warnings(record=True) as ws: self.t("a.b.c = 11", 11) self.assertEqual(self.s.names['a']['b']['c'], 42) # TODO: Wat? with warnings.catch_warnings(record=True) as ws: self.t("a.d = 11", 11) with self.assertRaises(KeyError): self.assertEqual(self.s.names['a']['d'], 11) def test_dict_attr_access_disabled(self): # nested dict self.s.ATTR_INDEX_FALLBACK = False self.assertEqual(self.s.ATTR_INDEX_FALLBACK, False) self.s.names = {'a': {'b': {'c': 42}}} with self.assertRaises(simpleeval.AttributeDoesNotExist): self.t("a.b.c * 2", 84) self.t("a['b']['c'] * 2", 84) self.assertEqual(self.s.names['a']['b']['c'], 42) def test_object(self): """ using an object for name lookup """ class TestObject(object): @staticmethod def method_thing(): return 42 o = TestObject() o.a = 23 o.b = 42 o.c = TestObject() o.c.d = 9001 self.s.names = {'o': o} self.t('o', o) self.t('o.a', 23) self.t('o.b + o.c.d', 9043) self.t('o.method_thing()', 42) with self.assertRaises(AttributeDoesNotExist): self.t('o.d', None) def test_func(self): """ using a function for 'names lookup' """ def resolver(_): """ all names now equal 1024! """ return 1024 self.s.names = resolver self.t("a", 1024) self.t("a + b - c - d", 0) # the function can do stuff with the value it's sent: def my_name(node): """ all names equal their textual name, twice. """ return node.id + node.id self.s.names = my_name self.t("a", "aa") def test_from_doc(self): """ the 'name first letter as value' example from the docs """ def name_handler(node): """ return the alphabet number of the first letter of the name's textual name """ return ord(node.id[0].lower()) - 96 self.s.names = name_handler self.t('a', 1) self.t('a + b', 3) class TestWhitespace(DRYTest): """ test that incorrect whitespace (preceding/trailing) doesn't matter. """ def test_no_whitespace(self): self.t('200 + 200', 400) def test_trailing(self): self.t('200 + 200 ', 400) def test_preciding_whitespace(self): self.t(' 200 + 200', 400) def test_preceding_tab_whitespace(self): self.t("\t200 + 200", 400) def test_preceding_mixed_whitespace(self): self.t(" \t 200 + 200", 400) def test_both_ends_whitespace(self): self.t(" \t 200 + 200 ", 400) class TestSimpleEval(unittest.TestCase): """ test the 'simple_eval' wrapper function """ def test_basic_run(self): self.assertEqual(simple_eval('6*7'), 42) def test_default_functions(self): self.assertEqual(simple_eval('rand() < 1.0 and rand() > -0.01'), True) self.assertEqual(simple_eval('randint(200) < 200 and rand() > 0'), True) class TestMethodChaining(unittest.TestCase): def test_chaining_correct(self): """ Contributed by Khalid Grandi (xaled). """ class A(object): def __init__(self): self.a = "0" def add(self, b): self.a += "-add" + str(b) return self def sub(self, b): self.a += "-sub" + str(b) return self def tostring(self): return str(self.a) x = A() self.assertEqual(simple_eval("x.add(1).sub(2).sub(3).tostring()", names={"x": x}), "0-add1-sub2-sub3") class TestExtendingClass(unittest.TestCase): """ It should be pretty easy to extend / inherit from the SimpleEval class, to further lock things down, or unlock stuff, or whatever. """ def test_methods_forbidden(self): # Example from README class EvalNoMethods(simpleeval.SimpleEval): def _eval_call(self, node): if isinstance(node.func, ast.Attribute): raise simpleeval.FeatureNotAvailable("No methods please, we're British") return super(EvalNoMethods, self)._eval_call(node) e = EvalNoMethods() self.assertEqual(e.eval('"stuff happens"'), "stuff happens") self.assertEqual(e.eval('22 + 20'), 42) self.assertEqual(e.eval('int("42")'), 42) with self.assertRaises(simpleeval.FeatureNotAvailable): e.eval('" blah ".strip()') class TestExceptions(unittest.TestCase): """ confirm a few attributes exist properly and haven't been eaten by 2to3 or whatever... (see #41) """ def test_functionnotdefined(self): try: raise FunctionNotDefined("foo", "foo in bar") except FunctionNotDefined as e: assert hasattr(e, 'func_name') assert getattr(e, 'func_name') == 'foo' assert hasattr(e, 'expression') assert getattr(e, 'expression') == 'foo in bar' def test_namenotdefined(self): try: raise NameNotDefined("foo", "foo in bar") except NameNotDefined as e: assert hasattr(e, 'name') assert getattr(e, 'name') == 'foo' assert hasattr(e, 'expression') assert getattr(e, 'expression') == 'foo in bar' def test_attributedoesnotexist(self): try: raise AttributeDoesNotExist("foo", "foo in bar") except AttributeDoesNotExist as e: assert hasattr(e, 'attr') assert getattr(e, 'attr') == 'foo' assert hasattr(e, 'expression') assert getattr(e, 'expression') == 'foo in bar' class TestUnusualComparisons(DRYTest): def test_custom_comparison_returner(self): class Blah(object): def __gt__(self, other): return self b = Blah() self.s.names = {'b': b} self.t('b > 2', b) def test_custom_comparison_doesnt_return_boolable(self): """ SqlAlchemy, bless it's cotton socks, returns BinaryExpression objects when asking for comparisons between things. These BinaryExpressions raise a TypeError if you try and check for Truthyiness. """ class BinaryExpression(object): def __init__(self, value): self.value = value def __eq__(self, other): return self.value == getattr(other, 'value', other) def __repr__(self): return ''.format(self.value) def __bool__(self): # This is the only important part, to match SqlAlchemy - the rest # of the methods are just to make testing a bit easier... raise TypeError("Boolean value of this clause is not defined") class Blah(object): def __gt__(self, other): return BinaryExpression('GT') def __lt__(self, other): return BinaryExpression('LT') b = Blah() self.s.names = {'b': b} # This should not crash: e = eval('b > 2', self.s.names) self.t('b > 2', BinaryExpression('GT')) self.t('1 < 5 > b', BinaryExpression('LT')) class TestGetItemUnhappy(DRYTest): # Again, SqlAlchemy doing unusual things. Throwing it's own errors, rather than # expected types... def test_getitem_not_implemented(self): class Meh(object): def __getitem__(self, key): raise NotImplementedError("booya!") def __getattr__(self, key): return 42 m = Meh() self.assertEqual(m.anything, 42) with self.assertRaises(NotImplementedError): m['nothing'] self.s.names = {"m": m} self.t("m.anything", 42) with self.assertRaises(NotImplementedError): self.t("m['nothing']", None) self.s.ATTR_INDEX_FALLBACK = False self.t("m.anything", 42) with self.assertRaises(NotImplementedError): self.t("m['nothing']", None) class TestShortCircuiting(DRYTest): def test_shortcircuit_if(self): x = [] def foo(y): x.append(y) return y self.s.functions = {'foo': foo} self.t('foo(1) if foo(2) else foo(3)', 1) self.assertListEqual(x, [2, 1]) x = [] self.t('42 if True else foo(99)', 42) self.assertListEqual(x, []) def test_shortcircuit_comparison(self): x = [] def foo(y): x.append(y) return y self.s.functions = {'foo': foo} self.t('foo(11) < 12', True) self.assertListEqual(x, [11]) x = [] self.t('1 > 2 < foo(22)', False) self.assertListEqual(x, []) class TestDisallowedFunctions(DRYTest): def test_functions_are_disallowed_at_init(self): DISALLOWED = [type, isinstance, eval, getattr, setattr, help, repr, compile, open] if simpleeval.PYTHON3: exec('DISALLOWED.append(exec)') # exec is not a function in Python2... for f in simpleeval.DISALLOW_FUNCTIONS: assert f in DISALLOWED for x in DISALLOWED: with self.assertRaises(FeatureNotAvailable): s = SimpleEval(functions ={'foo': x}) def test_functions_are_disallowed_in_expressions(self): DISALLOWED = [type, isinstance, eval, getattr, setattr, help, repr, compile, open] if simpleeval.PYTHON3: exec('DISALLOWED.append(exec)') # exec is not a function in Python2... for f in simpleeval.DISALLOW_FUNCTIONS: assert f in DISALLOWED DF = simpleeval.DEFAULT_FUNCTIONS.copy() for x in DISALLOWED: simpleeval.DEFAULT_FUNCTIONS = DF.copy() with self.assertRaises(FeatureNotAvailable): s = SimpleEval() s.functions['foo'] = x s.eval('foo(42)') simpleeval.DEFAULT_FUNCTIONS = DF.copy() if __name__ == '__main__': # pragma: no cover unittest.main()