Static analysis of Python code should include review of "unsafe" things like exe... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

westurner 10 months ago | parent | context | favorite | on: A 100x speedup with unsafe Python

Static analysis of Python code should include review of "unsafe" things like exec(), eval(), ctypes, c strings, memcpy (*),.

Containers are considered nearly sufficient to sandbox Python, which cannot be effectively sandboxed using Python itself. Isn't that actually true for all languages though?

There's a RustPython, but it does support CFFI and __builtins__.eval, so

maple3142 10 months ago [–]

The example given by parent does not need eval to trigger though. Just create a function and replace its code object then call it, it will easily segfault.

jwilk 10 months ago | [–]

Complete example without eval:

  def f(): pass
  f.__code__ = f.__code__.replace(co_consts=())
  f()

Retr0id 10 months ago | | [–]

yup, eval was just there for golfing purposes

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact