Executing stringified python function from python script










2















I'd like to use Python's eval in a way similar to that of Javascript. In Javascript, I can eval something like this:



const myfunc = eval('function(arg1, arg2) ...... ');
myfunc(1, 2);


First of all, I'll start by saying that the functions being run are NOT from userland - only the admins on our team are writing the functions, and it's a core part of our product architecture. I'm aware of the security implications :)



Some things that I have thought of myself include:



  1. During runtime (so the format is preserved), using a library to convert the code into a single-liner. But I don't really want to rely on a third party library for doing this as that introduces potential future security holes.

  2. Temporarily saving the script to a file and importing that file dynamically using importlib. But then I end up with a potentially weird server state if file management commands fail or are used improperly, and I'm paranoid that I'll call the wrong script and execute the wrong code.

I don't really love either of these options. I know that I could make them both work if I had to, but was hoping to get input from people who know Python much better than I do.










share|improve this question

















  • 1





    Off-topic, but in JavaScript that would be better as const myfunc = new Function("arg1", "arg2", "......"). MDN's "Do not ever use eval!" gives the reasoning.

    – Amadan
    Nov 13 '18 at 11:39












  • @Amadan thanks, that was a good read.

    – wheresmycookie
    Nov 13 '18 at 12:55















2















I'd like to use Python's eval in a way similar to that of Javascript. In Javascript, I can eval something like this:



const myfunc = eval('function(arg1, arg2) ...... ');
myfunc(1, 2);


First of all, I'll start by saying that the functions being run are NOT from userland - only the admins on our team are writing the functions, and it's a core part of our product architecture. I'm aware of the security implications :)



Some things that I have thought of myself include:



  1. During runtime (so the format is preserved), using a library to convert the code into a single-liner. But I don't really want to rely on a third party library for doing this as that introduces potential future security holes.

  2. Temporarily saving the script to a file and importing that file dynamically using importlib. But then I end up with a potentially weird server state if file management commands fail or are used improperly, and I'm paranoid that I'll call the wrong script and execute the wrong code.

I don't really love either of these options. I know that I could make them both work if I had to, but was hoping to get input from people who know Python much better than I do.










share|improve this question

















  • 1





    Off-topic, but in JavaScript that would be better as const myfunc = new Function("arg1", "arg2", "......"). MDN's "Do not ever use eval!" gives the reasoning.

    – Amadan
    Nov 13 '18 at 11:39












  • @Amadan thanks, that was a good read.

    – wheresmycookie
    Nov 13 '18 at 12:55













2












2








2








I'd like to use Python's eval in a way similar to that of Javascript. In Javascript, I can eval something like this:



const myfunc = eval('function(arg1, arg2) ...... ');
myfunc(1, 2);


First of all, I'll start by saying that the functions being run are NOT from userland - only the admins on our team are writing the functions, and it's a core part of our product architecture. I'm aware of the security implications :)



Some things that I have thought of myself include:



  1. During runtime (so the format is preserved), using a library to convert the code into a single-liner. But I don't really want to rely on a third party library for doing this as that introduces potential future security holes.

  2. Temporarily saving the script to a file and importing that file dynamically using importlib. But then I end up with a potentially weird server state if file management commands fail or are used improperly, and I'm paranoid that I'll call the wrong script and execute the wrong code.

I don't really love either of these options. I know that I could make them both work if I had to, but was hoping to get input from people who know Python much better than I do.










share|improve this question














I'd like to use Python's eval in a way similar to that of Javascript. In Javascript, I can eval something like this:



const myfunc = eval('function(arg1, arg2) ...... ');
myfunc(1, 2);


First of all, I'll start by saying that the functions being run are NOT from userland - only the admins on our team are writing the functions, and it's a core part of our product architecture. I'm aware of the security implications :)



Some things that I have thought of myself include:



  1. During runtime (so the format is preserved), using a library to convert the code into a single-liner. But I don't really want to rely on a third party library for doing this as that introduces potential future security holes.

  2. Temporarily saving the script to a file and importing that file dynamically using importlib. But then I end up with a potentially weird server state if file management commands fail or are used improperly, and I'm paranoid that I'll call the wrong script and execute the wrong code.

I don't really love either of these options. I know that I could make them both work if I had to, but was hoping to get input from people who know Python much better than I do.







python






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 11:09









wheresmycookiewheresmycookie

234218




234218







  • 1





    Off-topic, but in JavaScript that would be better as const myfunc = new Function("arg1", "arg2", "......"). MDN's "Do not ever use eval!" gives the reasoning.

    – Amadan
    Nov 13 '18 at 11:39












  • @Amadan thanks, that was a good read.

    – wheresmycookie
    Nov 13 '18 at 12:55












  • 1





    Off-topic, but in JavaScript that would be better as const myfunc = new Function("arg1", "arg2", "......"). MDN's "Do not ever use eval!" gives the reasoning.

    – Amadan
    Nov 13 '18 at 11:39












  • @Amadan thanks, that was a good read.

    – wheresmycookie
    Nov 13 '18 at 12:55







1




1





Off-topic, but in JavaScript that would be better as const myfunc = new Function("arg1", "arg2", "......"). MDN's "Do not ever use eval!" gives the reasoning.

– Amadan
Nov 13 '18 at 11:39






Off-topic, but in JavaScript that would be better as const myfunc = new Function("arg1", "arg2", "......"). MDN's "Do not ever use eval!" gives the reasoning.

– Amadan
Nov 13 '18 at 11:39














@Amadan thanks, that was a good read.

– wheresmycookie
Nov 13 '18 at 12:55





@Amadan thanks, that was a good read.

– wheresmycookie
Nov 13 '18 at 12:55












1 Answer
1






active

oldest

votes


















0














I used the 2nd option - its much better than eval.



Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.






share|improve this answer























  • Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?

    – wheresmycookie
    Nov 13 '18 at 12:51











  • I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.

    – Deepak Garud
    Nov 13 '18 at 14:39











  • I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.

    – wheresmycookie
    Nov 13 '18 at 14:53










Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279698%2fexecuting-stringified-python-function-from-python-script%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














I used the 2nd option - its much better than eval.



Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.






share|improve this answer























  • Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?

    – wheresmycookie
    Nov 13 '18 at 12:51











  • I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.

    – Deepak Garud
    Nov 13 '18 at 14:39











  • I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.

    – wheresmycookie
    Nov 13 '18 at 14:53















0














I used the 2nd option - its much better than eval.



Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.






share|improve this answer























  • Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?

    – wheresmycookie
    Nov 13 '18 at 12:51











  • I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.

    – Deepak Garud
    Nov 13 '18 at 14:39











  • I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.

    – wheresmycookie
    Nov 13 '18 at 14:53













0












0








0







I used the 2nd option - its much better than eval.



Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.






share|improve this answer













I used the 2nd option - its much better than eval.



Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 13 '18 at 11:35









Deepak GarudDeepak Garud

53539




53539












  • Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?

    – wheresmycookie
    Nov 13 '18 at 12:51











  • I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.

    – Deepak Garud
    Nov 13 '18 at 14:39











  • I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.

    – wheresmycookie
    Nov 13 '18 at 14:53

















  • Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?

    – wheresmycookie
    Nov 13 '18 at 12:51











  • I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.

    – Deepak Garud
    Nov 13 '18 at 14:39











  • I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.

    – wheresmycookie
    Nov 13 '18 at 14:53
















Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?

– wheresmycookie
Nov 13 '18 at 12:51





Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?

– wheresmycookie
Nov 13 '18 at 12:51













I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.

– Deepak Garud
Nov 13 '18 at 14:39





I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.

– Deepak Garud
Nov 13 '18 at 14:39













I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.

– wheresmycookie
Nov 13 '18 at 14:53





I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.

– wheresmycookie
Nov 13 '18 at 14:53



















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279698%2fexecuting-stringified-python-function-from-python-script%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Use pre created SQLite database for Android project in kotlin

Darth Vader #20

Ondo