> In Perl, eval can be used with a block to trap exceptions which is why it was being used everywhere.
...which your search doesn't seem to exclude (I'm not signing up to Github to find out so I'm just guessing from your URL that you didn't exclude "eval {" or "eval q{")
It does still use eval on occasion and they seem happy with it.
* for their own controlled expressions to customise base parsing behaviour (which could be refactored to use function references instead, but it's not a case of evaluating external data)
* to test if modules can be imported (which you've excluded from your search)
and in one case in CanonRaw.pm, using eval on an expression that matches [0-9./]+ , I'm not sure it looks at external data but it might, and at best you could cause a divide-by-zero error (e.g. 1/0) or syntax error (e.g. ///) if you mess with the data it parses.
Your observation is proper in that it did not exclude the patterns you mentioned, but in this specific case not necessary because all 4 results are shaped the exact same way:
lib/Image/ExifTool/Exif.pm
#### eval Start ($valuePtr, $val)
my $newStart = eval($$subdir{Start});
unless (Image::ExifTool::IsInt($newStart)) {
#### eval Base ($start,$base)
$subdirBase = eval($$subdir{Base}) + $base;
}
lib/Image/ExifTool/MakerNotes.pm
#### eval Start ($valuePtr)
$newStart = eval($$subdir{Start});
}
#### eval Base ($start,$base)
my $baseShift = eval($$subdir{Base});
# shift directory base (note: we may do this again below
#### eval OffsetPt ($valuePtr)
$ifdOffsetPos = eval($$subdir{OffsetPt}) - $dirStart;
}
You're right that excluding "eval {" is not necessary because it only occurs in the already excluded subset, but that search link is missing a lot of matches since the space character in my pattern has turned into a plus sign in yours. Try this: https://sourcegraph.com/search?q=context%3Aglobal+repo%3A%5E...
There are also some cases (excluded in this search) where a charset parameter is passed around and eventually passed to eval in the LoadCharset function, e.g. from the RTF parser through the Recompose method. Not sure if that's always safe.
Catching exceptions from eval-ing untrusted code doesn't strike me as being a big help from security POV, or is there something else special about the block form of eval that helps here?
> In Perl, eval can be used with a block to trap exceptions which is why it was being used everywhere.
...which your search doesn't seem to exclude (I'm not signing up to Github to find out so I'm just guessing from your URL that you didn't exclude "eval {" or "eval q{")
It does still use eval on occasion and they seem happy with it.
* for their own controlled expressions to customise base parsing behaviour (which could be refactored to use function references instead, but it's not a case of evaluating external data)
* to test if modules can be imported (which you've excluded from your search)
and in one case in CanonRaw.pm, using eval on an expression that matches [0-9./]+ , I'm not sure it looks at external data but it might, and at best you could cause a divide-by-zero error (e.g. 1/0) or syntax error (e.g. ///) if you mess with the data it parses.
So overall, not much dangerous eval going on.