Home/ Questions/Q 7631073
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T06:15:39+00:00

I have been tasked with building an application where an end user can have

  • 0

I have been tasked with building an application where an end user can have custom rules to evaluate whether a returned query results in a warning or alert (based on there own thresholds).

I’ve built a way for the user to template their logic. An example looks like this:

if (abs(<<21>>) >= abs(<<22>>)):
    retVal = <<21>>
else:
    retVal = <<22>>

The <<21>> and <<22>> parameters will be substituted with values found earlier in the program. Once all this substitution occurs I have a very simple if/else block (in this example) that looks like this stored in a variable (execCd):

if (abs(22.0) >= abs(-162.0)):
    retVal = 22.0
else:
    retVal = -162.0

This will exec() correctly. Now, how can I secure this? I’ve looked at this article: http://lybniz2.sourceforge.net/safeeval.html

My code ends up looking like this:

safe_list = ['math','acos', 'asin', 'atan', 'atan2', 'ceil', 'cos', 'cosh', 'de grees', 'e', 'exp', 'fabs', 'floor', 'fmod', 'frexp', 'hypot', 'ldexp', 'log', 'log10', 'modf', 'pi', 'pow', 'radians', 'sin', 'sinh', 'sqrt', 'tan', 'tanh'] 
safe_dict = dict([ (k, locals().get(k, None)) for k in safe_list ]) 
safe_dict['abs'] = abs
exec(execCd,{"__builtins__":None},safe_dict)

However, the exec fails when I have the second and third parameter with this exception – NameError: name 'retVal' is not defined

Some of the custom logic the end users have is extensive and much of this changes on a fairly regular basis. I don’t want to maintain their custom logic and end users want to be able to test various warning/alert threshold logic quickly.

How can I secure this exec statement from unsafe (either intentional or unintentional) code?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your exec statement isn’t adding retVal to your local environment, but to the safe_dict dictionary. So you can get it back from there:

    execCd = """
if (abs(22.0) >= abs(-162.0)):
    retVal = 22.0
else:
    retVal = -162.0
"""

safe_list = ['math','acos', 'asin', 'atan', 'atan2', 'ceil', 'cos', 'cosh', 'de grees', 'e', 'exp', 'fabs', 'floor', 'fmod', 'frexp', 'hypot', 'ldexp', 'log', 'log10', 'modf', 'pi', 'pow', 'radians', 'sin', 'sinh', 'sqrt', 'tan', 'tanh'] 
safe_dict = dict([ (k, locals().get(k, None)) for k in safe_list ]) 
safe_dict['abs'] = abs
exec(execCd,{"__builtins__":None},safe_dict)
retVal = safe_dict["retVal"]
    • 0