Home/ Questions/Q 3242188
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T18:17:09+00:00

I plan to use those functions in web-environment, so my concern is if those

  • 0

I plan to use those functions in web-environment, so my concern is if those functions can be exploited and used for executing malicious software on the server.

Edit: I don’t execute the result. I parse the AST tree and/or catch SyntaxError.

This is the code in question:

try:
    #compile the code and check for syntax errors
    compile(code_string, filename, "exec")
except SyntaxError, value:
    msg = value.args[0]

    (lineno, offset, text) = value.lineno, value.offset, value.text

    if text is None:
        return [{"line": 0, "offset": 0, 
            "message": u"Problem decoding source"}]

    else:
        line = text.splitlines()[-1]

        if offset is not None:
            offset = offset - (len(text) - len(line))
        else:
            offset = 0

        return [{"line": lineno, "offset": offset, "message": msg}]

else:
    #no syntax errors, check it with pyflakes
    tree = compiler.parse(code_string)
    w = checker.Checker(tree, filename)
    w.messages.sort(lambda a, b: cmp(a.lineno, b.lineno))

checker.Checker is pyflakes class that parses the AST tree.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    compiler.parse and compile could most definitely be used for an attack if the attacker can control their input and the output is executed. In most cases, you are going to either eval or exec their output to make it run so those are still the usual suspects and compile and compiler.parse (deprecated BTW) are just adding another step between the malicious input and the execution.

    EDIT: Just saw that you left a comment indicating that you are actually planning on using these on USER INPUT. Don’t do that. Or at least, don’t actually execute the result. That’s a huge security hole for whoever ends up running that code. And if nobody’s going to run it, why compile it? Since you clarified that you only want to check syntax, this should be fine. I would not store the output though as there’s no reason to make anything easier for a potential attacker and being able to get arbitrary code onto your system is a first step.

    If you do need to store it, I would probably favor a scheme similar to that commonly used for images where they are renamed in a non-predictable manner with the added step of making sure that it is not stored on the import path.

    • 0