From 35368e531b36c800ff6e61fc79fcd9e05794aa7d Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Wed, 25 Jun 2014 20:18:03 -0500 Subject: [PATCH] Additional fixes for safe_eval --- lib/ansible/utils/__init__.py | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/lib/ansible/utils/__init__.py b/lib/ansible/utils/__init__.py index 89b8fc75dc..64d4c75292 100644 --- a/lib/ansible/utils/__init__.py +++ b/lib/ansible/utils/__init__.py @@ -1038,22 +1038,23 @@ def safe_eval(expr, locals={}, include_exceptions=False): # visitor class defined below. SAFE_NODES = set( ( - ast.Expression, - ast.Compare, - ast.Str, - ast.List, - ast.Tuple, - ast.Dict, - ast.Call, - ast.Load, + ast.Add, + ast.Attribute, ast.BinOp, - ast.UnaryOp, + ast.Call, + ast.Compare, + ast.Dict, + ast.Div, + ast.Expression, + ast.List, + ast.Load, + ast.Mult, ast.Num, ast.Name, - ast.Add, + ast.Str, ast.Sub, - ast.Mult, - ast.Div, + ast.Tuple, + ast.UnaryOp, ) ) @@ -1087,10 +1088,12 @@ def safe_eval(expr, locals={}, include_exceptions=False): def generic_visit(self, node): if type(node) not in SAFE_NODES: raise Exception("invalid expression (%s)" % expr) - super(CleansingNodeVisitor, self).generic_visit(node) - def visit_Call(self, call): - if call.func.id not in CALL_WHITELIST: - raise Exception("invalid function: %s" % call.func.id) + elif isinstance(node, ast.Call): + if not isinstance(node.func, ast.Attribute) and node.func.id not in CALL_WHITELIST: + raise Exception("invalid function: %s" % node.func.id) + # iterate over all child nodes + for child_node in ast.iter_child_nodes(node): + super(CleansingNodeVisitor, self).visit(child_node) if not isinstance(expr, basestring): # already templated to a datastructure, perhaps?