Clear Filters
Clear Filters

Friday Fun with EVAL()

2 views (last 30 days)
Sean de Wolski
Sean de Wolski on 12 Apr 2013
I think I may have come across the first time in my >5 years of using MATLAB that I have a case where the best possible answer is to use eval().
Here's the scenario:
I'm working on a test that requires the user to input a string in an edit box. This string needs to create a very specific anonymous function, e.g.:
Create an anonymous function, f, that takes two inputs x,y and runs x^2+y^2+2
Once the anonymous function is created, I can test the correctness using a comparison with the output from functions(f).
How I plan to safe guard against it breaking everything else:
  • eval(str) will be inside of a try/catch in case they error.
  • I will "pre-regexprep" the string to remove any case where more than two letters are consecutive. This should stop most malicious behavior.
  • I will eval(str) inside of a subfunction where no variables being destroyed or created will hurt me.
  • I will verify that f exists and that it's a function handle. If it does not exist, I'll pass back a wrong answer so it fails.
Ps. when I say malicious, I just mean someone having fun with this :)
The alternatives I've thought of:
  • Use regexp to verify that everything in the string is in the right order. Shortcoming this does not scale well and there are cases where answer is correct but my regular expression misses it such as with unnecessary extra parentheses.
  • Write it to a MATLAB file. Run the file. This has no real advantages that I can see...
  3 Comments
Show 1 older comment
Walter Roberson
Walter Roberson on 12 Apr 2013
Not preregexp -- either regexprep() or regexptranslate()
Sean de Wolski
Sean de Wolski on 12 Apr 2013
@Cedric, yeah I can forget about it by Monday if I leave it working :)
@Walter, I meant pre-regexp as in I would use regexprep before eval()ing it.

Sign in to comment.

Sign in to answer this question.

Answers (3)

Friedrich
Friedrich on 13 Apr 2013
Edited: Friedrich on 13 Apr 2013
Hi Sean,
Why using "eval" and not "inline" on the post processed user input string?
  3 Comments
Show 1 older comment
Sean de Wolski
Sean de Wolski on 15 Apr 2013
And I would have to pre-regexprep it to remove the f =
inline('f=@(x,y)x.^2+y.^2+2')
That is a simpler expression, but in Cleve's words, avoid inline too!
Friedrich
Friedrich on 15 Apr 2013
Edited: Friedrich on 15 Apr 2013
As long you call eval only once it should be fine with eval. In addition the 13a doc states: "inline will be removed in a future release. Use Anonymous Functions instead."
Which then will lead to eval in order to create dynamically the function handle anyway.

Sign in to comment.

Daniel Shub
Daniel Shub on 18 Apr 2013
What about str2func?
Jan
Jan on 18 Apr 2013
Edited: Jan on 18 Apr 2013
Make the expression an string and send it by urlwrite to a dedicated problem at Cody. Here Matlab runs in a virtual maschine which is refreshed automatically. They run it under Ubuntu, such that you do not have care about the security leaks in Windows, which would allow to get admin privilegs. Unfortunately Ubuntu is not a tank also, and an evil user could try to embed code to start sendmail.
This would catch evilness of the category 1 to 3:
  • typos
  • unwanted calls of toolbox functions
  • calls of operating system functions like deleting files
This would not catch evilness of category 4:
  • psychotic script kids, who really plan to use your program for evil and criminal activities.
My conclusion: It is your intention to evaluate code typed in by the user. Then eval is fine, because this is a dangerous command for a dangerous purpose. If you add 100 REGEXP restrictions, the user simply opens a shell and sends the evil commands directly to the operating system. If the user has physical access to the computer, 100% bullet proof systems are impossible. If you want offer your GUI through a web interface for public access, check your log-files very frequently.

Categories

Find more on Programming in Help Center and File Exchange

Tags

Products

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!