Static analysis of Python code should include review of "unsafe" things like exe... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		westurner on May 7, 2024 \| parent \| context \| favorite \| on: A 100x speedup with unsafe Python Static analysis of Python code should include review of "unsafe" things like exec(), eval(), ctypes, c strings, memcpy (*),. Containers are considered nearly sufficient to sandbox Python, which cannot be effectively sandboxed using Python itself. Isn't that actually true for all languages though? There's a RustPython, but it does support CFFI and __builtins__.eval, so

maple3142 on May 7, 2024 [–]

The example given by parent does not need eval to trigger though. Just create a function and replace its code object then call it, it will easily segfault.

jwilk on May 7, 2024 | [–]

Complete example without eval:

  def f(): pass
  f.__code__ = f.__code__.replace(co_consts=())
  f()

Retr0id on May 7, 2024 | | [–]

yup, eval was just there for golfing purposes

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact