From 77e73d70a9b81a7bbd8e49be52612fc62a9f9502 Mon Sep 17 00:00:00 2001 From: Qrius Date: Tue, 6 May 2025 14:22:33 +0200 Subject: Disable unsafe code execution by default --- src/smp/__init__.py | 9 +++++++++ src/smp/builtins.py | 4 ++++ src/smp/macro_processor.py | 8 ++++++-- 3 files changed, 19 insertions(+), 2 deletions(-) (limited to 'src/smp') diff --git a/src/smp/__init__.py b/src/smp/__init__.py index f7cb937..2cdf2fe 100644 --- a/src/smp/__init__.py +++ b/src/smp/__init__.py @@ -41,6 +41,13 @@ def main(): action="store_true", help="Prefix builtins with smp_", ) + parser.add_argument( + "-U", + "--unsafe", + default=False, + action="store_true", + help="Allow unsafe code execution", + ) parser.add_argument( "file", nargs="?", default=None, help='Input file or "-" for stdin' ) @@ -50,6 +57,8 @@ def main(): macro_processor_state = smp.macro_processor.MacroProcessorState() prefix = "smp_" if args.prefix_builtins else "" macro_processor = macro_processor_state.macro_processor(prefix=prefix) + if args.unsafe: + macro_processor.unsafe_code_execution = True for key, value in args.D.items(): macro_processor.define_macro(key, value) diff --git a/src/smp/builtins.py b/src/smp/builtins.py index 36cc380..6beb224 100644 --- a/src/smp/builtins.py +++ b/src/smp/builtins.py @@ -113,11 +113,15 @@ def smp_builtin_include_verbatim(macro_processor, filename): def smp_builtin_shell(macro_processor, cmd_args): + if not macro_processor.unsafe_code_execution: + raise Exception("unsafe code execution now allowed!") cmd_args = macro_processor.process_input(cmd_args) return subprocess.check_output(cmd_args, shell=True).decode() def smp_builtin_eval(macro_processor, expression): + if not macro_processor.unsafe_code_execution: + raise Exception("unsafe code execution now allowed!") r = eval( expression, macro_processor.py_local_env_current, diff --git a/src/smp/macro_processor.py b/src/smp/macro_processor.py index a473db4..d5f4e8e 100644 --- a/src/smp/macro_processor.py +++ b/src/smp/macro_processor.py @@ -76,6 +76,8 @@ class MacroProcessor: expansion_stack: list[Any] + unsafe_code_execution: bool = False + def __init__(self, prefix=""): self.macros = dict() self.macro_invocations = list() @@ -140,7 +142,7 @@ class MacroProcessor: return self.macros.get(f"{sub_prefix}{macro_name}", default) def _define_metadata(self, macro_name, macro_value): - sub_prefix = (self._get_macro_builtin("metadata_prefix")) + sub_prefix = self._get_macro_builtin("metadata_prefix") self.define_macro(f"{sub_prefix}{macro_name}", macro_value) def log_warning(self, message): @@ -351,7 +353,7 @@ class MacroProcessor: i += 1 continue - if c == "%" and peek == "(": + if self.unsafe_code_execution and c == "%" and peek == "(": state = ParserState.IN_CODE i += 2 state_start = i @@ -499,6 +501,8 @@ class MacroProcessor: elif state == ParserState.IN_CODE: if c == ")" and peek == "%": try: + if not self.unsafe_code_execution: + raise Exception("unsafe code execution now allowed!") self._enter_frame("inline_code", file, linenr, input) f = StringIO() with redirect_stdout(f): -- cgit v1.2.3