Merge branch '492-Stop-using-eval' into 'master'

Resolve "Stop using `eval()`" Closes #492 See merge request fdroid/fdroidserver!506
2025-11-04 22:40:29 +03:00 · 2018-05-22 14:21:43 +00:00 · 2018-05-22 14:21:43 +00:00 · bd6de3d755
commit bd6de3d755
parent 79a022400f 6b1f242d25
3 changed files with 40 additions and 1 deletions
--- a/fdroidserver/checkupdates.py
+++ b/fdroidserver/checkupdates.py
@ -434,7 +434,7 @@ def checkupdates_app(app):
                                    .format(field=app.VercodeOperation))
        oldvercode = str(int(vercode))
        op = app.VercodeOperation.replace("%c", oldvercode)
-        vercode = str(eval(op))
+        vercode = str(common.calculate_math_string(op))
        logging.debug("Applied vercode operation: %s -> %s" % (oldvercode, vercode))

    if version and any(version.startswith(s) for s in [
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -24,6 +24,7 @@ import io
 import os
 import sys
 import re
+import ast
 import shutil
 import glob
 import stat
@ -3205,3 +3206,28 @@ def get_git_describe_link():
    else:
        logging.error(_("'{path}' failed to execute!").format(path='git describe'))
        return ''
+
+
+def calculate_math_string(expr):
+    ops = {ast.Add: operator.add, ast.Sub: operator.sub,
+           ast.Mult: operator.mul}
+
+    def execute_ast(node):
+        if isinstance(node, ast.Num):  # <number>
+            return node.n
+        elif isinstance(node, ast.BinOp):  # <left> <operator> <right>
+            return ops[type(node.op)](execute_ast(node.left),
+                                      execute_ast(node.right))
+        elif isinstance(node, ast.UnaryOp):  # <operator> <operand> e.g., -1
+            return ops[type(node.op)](eval(node.operand))
+        else:
+            raise SyntaxError(node)
+
+    try:
+        if '#' in expr:
+            raise SyntaxError('no comments allowed')
+        return execute_ast(ast.parse(expr, mode='eval').body)
+    except SyntaxError as e:
+        raise SyntaxError("could not parse expression '{expr}', "
+                          "only basic math operations are allowed (+, -, *)"
+                          .format(expr=expr))
--- a/tests/common.TestCase
+++ b/tests/common.TestCase
@ -779,6 +779,19 @@ class CommonTest(unittest.TestCase):
        self.assertEqual(('1.0-free', '1', 'com.kunzisoft.fdroidtest.applicationidsuffix'),
                         fdroidserver.common.parse_androidmanifests(paths, app))

+    def test_calculate_math_string(self):
+        self.assertEqual(1234, fdroidserver.common.calculate_math_string('1234'))
+        self.assertEqual(4, fdroidserver.common.calculate_math_string('(1+1)*2'))
+        self.assertEqual(2, fdroidserver.common.calculate_math_string('(1-1)*2+3*1-1'))
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('__import__("urllib")')
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('self')
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('1+1; print(1)')
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('1-1 # no comment')
+

 if __name__ == "__main__":
    parser = optparse.OptionParser()