Executing stringified python function from python script
I'd like to use Python's eval in a way similar to that of Javascript. In Javascript, I can eval something like this:
const myfunc = eval('function(arg1, arg2) ...... ');
myfunc(1, 2);
First of all, I'll start by saying that the functions being run are NOT from userland - only the admins on our team are writing the functions, and it's a core part of our product architecture. I'm aware of the security implications :)
Some things that I have thought of myself include:
- During runtime (so the format is preserved), using a library to convert the code into a single-liner. But I don't really want to rely on a third party library for doing this as that introduces potential future security holes.
- Temporarily saving the script to a file and importing that file dynamically using
importlib
. But then I end up with a potentially weird server state if file management commands fail or are used improperly, and I'm paranoid that I'll call the wrong script and execute the wrong code.
I don't really love either of these options. I know that I could make them both work if I had to, but was hoping to get input from people who know Python much better than I do.
python
add a comment |
I'd like to use Python's eval in a way similar to that of Javascript. In Javascript, I can eval something like this:
const myfunc = eval('function(arg1, arg2) ...... ');
myfunc(1, 2);
First of all, I'll start by saying that the functions being run are NOT from userland - only the admins on our team are writing the functions, and it's a core part of our product architecture. I'm aware of the security implications :)
Some things that I have thought of myself include:
- During runtime (so the format is preserved), using a library to convert the code into a single-liner. But I don't really want to rely on a third party library for doing this as that introduces potential future security holes.
- Temporarily saving the script to a file and importing that file dynamically using
importlib
. But then I end up with a potentially weird server state if file management commands fail or are used improperly, and I'm paranoid that I'll call the wrong script and execute the wrong code.
I don't really love either of these options. I know that I could make them both work if I had to, but was hoping to get input from people who know Python much better than I do.
python
1
Off-topic, but in JavaScript that would be better asconst myfunc = new Function("arg1", "arg2", "......")
. MDN's "Do not ever useeval
!" gives the reasoning.
– Amadan
Nov 13 '18 at 11:39
@Amadan thanks, that was a good read.
– wheresmycookie
Nov 13 '18 at 12:55
add a comment |
I'd like to use Python's eval in a way similar to that of Javascript. In Javascript, I can eval something like this:
const myfunc = eval('function(arg1, arg2) ...... ');
myfunc(1, 2);
First of all, I'll start by saying that the functions being run are NOT from userland - only the admins on our team are writing the functions, and it's a core part of our product architecture. I'm aware of the security implications :)
Some things that I have thought of myself include:
- During runtime (so the format is preserved), using a library to convert the code into a single-liner. But I don't really want to rely on a third party library for doing this as that introduces potential future security holes.
- Temporarily saving the script to a file and importing that file dynamically using
importlib
. But then I end up with a potentially weird server state if file management commands fail or are used improperly, and I'm paranoid that I'll call the wrong script and execute the wrong code.
I don't really love either of these options. I know that I could make them both work if I had to, but was hoping to get input from people who know Python much better than I do.
python
I'd like to use Python's eval in a way similar to that of Javascript. In Javascript, I can eval something like this:
const myfunc = eval('function(arg1, arg2) ...... ');
myfunc(1, 2);
First of all, I'll start by saying that the functions being run are NOT from userland - only the admins on our team are writing the functions, and it's a core part of our product architecture. I'm aware of the security implications :)
Some things that I have thought of myself include:
- During runtime (so the format is preserved), using a library to convert the code into a single-liner. But I don't really want to rely on a third party library for doing this as that introduces potential future security holes.
- Temporarily saving the script to a file and importing that file dynamically using
importlib
. But then I end up with a potentially weird server state if file management commands fail or are used improperly, and I'm paranoid that I'll call the wrong script and execute the wrong code.
I don't really love either of these options. I know that I could make them both work if I had to, but was hoping to get input from people who know Python much better than I do.
python
python
asked Nov 13 '18 at 11:09
wheresmycookiewheresmycookie
234218
234218
1
Off-topic, but in JavaScript that would be better asconst myfunc = new Function("arg1", "arg2", "......")
. MDN's "Do not ever useeval
!" gives the reasoning.
– Amadan
Nov 13 '18 at 11:39
@Amadan thanks, that was a good read.
– wheresmycookie
Nov 13 '18 at 12:55
add a comment |
1
Off-topic, but in JavaScript that would be better asconst myfunc = new Function("arg1", "arg2", "......")
. MDN's "Do not ever useeval
!" gives the reasoning.
– Amadan
Nov 13 '18 at 11:39
@Amadan thanks, that was a good read.
– wheresmycookie
Nov 13 '18 at 12:55
1
1
Off-topic, but in JavaScript that would be better as
const myfunc = new Function("arg1", "arg2", "......")
. MDN's "Do not ever use eval
!" gives the reasoning.– Amadan
Nov 13 '18 at 11:39
Off-topic, but in JavaScript that would be better as
const myfunc = new Function("arg1", "arg2", "......")
. MDN's "Do not ever use eval
!" gives the reasoning.– Amadan
Nov 13 '18 at 11:39
@Amadan thanks, that was a good read.
– wheresmycookie
Nov 13 '18 at 12:55
@Amadan thanks, that was a good read.
– wheresmycookie
Nov 13 '18 at 12:55
add a comment |
1 Answer
1
active
oldest
votes
I used the 2nd option - its much better than eval.
Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.
Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?
– wheresmycookie
Nov 13 '18 at 12:51
I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.
– Deepak Garud
Nov 13 '18 at 14:39
I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.
– wheresmycookie
Nov 13 '18 at 14:53
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279698%2fexecuting-stringified-python-function-from-python-script%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I used the 2nd option - its much better than eval.
Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.
Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?
– wheresmycookie
Nov 13 '18 at 12:51
I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.
– Deepak Garud
Nov 13 '18 at 14:39
I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.
– wheresmycookie
Nov 13 '18 at 14:53
add a comment |
I used the 2nd option - its much better than eval.
Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.
Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?
– wheresmycookie
Nov 13 '18 at 12:51
I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.
– Deepak Garud
Nov 13 '18 at 14:39
I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.
– wheresmycookie
Nov 13 '18 at 14:53
add a comment |
I used the 2nd option - its much better than eval.
Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.
I used the 2nd option - its much better than eval.
Files containing entire class and its functions can be written at runtime and executed.
Using some scheme where you write a different class name each time and match the class name and function name can ensure you call the correct script when needed.
answered Nov 13 '18 at 11:35
Deepak GarudDeepak Garud
53539
53539
Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?
– wheresmycookie
Nov 13 '18 at 12:51
I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.
– Deepak Garud
Nov 13 '18 at 14:39
I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.
– wheresmycookie
Nov 13 '18 at 14:53
add a comment |
Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?
– wheresmycookie
Nov 13 '18 at 12:51
I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.
– Deepak Garud
Nov 13 '18 at 14:39
I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.
– wheresmycookie
Nov 13 '18 at 14:53
Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?
– wheresmycookie
Nov 13 '18 at 12:51
Can you elaborate a little bit? So, supposing my function is stored in the database as a string (not a hard requirement), you're suggesting to output it into a file under a unique class name, import it, and execute it?
– wheresmycookie
Nov 13 '18 at 12:51
I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.
– Deepak Garud
Nov 13 '18 at 14:39
I had loaded python modules from files and found that I could handle dynamically written multi line indented code (with try catch blocks as well), better than executing it with eval. My point was that you need not fear calling the wrong code with this approach. If writing files is not a good approach for your design, that is another thing.
– Deepak Garud
Nov 13 '18 at 14:39
I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.
– wheresmycookie
Nov 13 '18 at 14:53
I think that this is probably the correct approach, I agree. It seems like there are some mechanics that need to be thought through, but unless any other interesting ideas are posted here I'll probably go with this option.
– wheresmycookie
Nov 13 '18 at 14:53
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279698%2fexecuting-stringified-python-function-from-python-script%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Off-topic, but in JavaScript that would be better as
const myfunc = new Function("arg1", "arg2", "......")
. MDN's "Do not ever useeval
!" gives the reasoning.– Amadan
Nov 13 '18 at 11:39
@Amadan thanks, that was a good read.
– wheresmycookie
Nov 13 '18 at 12:55