Code Injection via eval() in `util.base.expr`

[l3str4nge]

What happened?

In this function https://github.com/petl-developers/petl/blame/master/petl/util/base.py#L681 eval is used so it's really risky and could lead to potential security issues. With this version any python code could be triggered so getting reverse shell is not a big deal.

POC:

expr("__import__('os').system('id')")(2)

iterfieldmap is affected https://github.com/petl-developers/petl/blob/master/petl/transform/maps.py#L106

What is the expected behavior?

Do not use eval? Remove the function from the codebase?

Reproducible test case

What version of petl are you have found the bug?

ANY

Version

python 3.9

What OS are you seeing the problem on?

Linux

What OS version are you using?

No response

What package manager you used to install?

pip

What's the current installed packages?

No response

Relevant log output

Additional Notes

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[juarezr]

It may affect:

• the expr() method itself.
• the fieldmap as it is using expr() internally.
  • Called in the iterfieldmap internal method.
• the convert as it is using expr() internally.
  • Called in the iterfieldconvert internal method.
  • Also, all the derived convert() methods: convertall, replace, replaceall, update, convertnumbers, format, formatall, interpolate, interpolateall
• the select when using the second argument as string as it is using expr() internally.
  • Als,o all the derived select() methods: selectop, selectcontains, selecteq, selectfalse, selectge, selectgt, selectin, selectis, selectisinstance, selectisnot, selectle, selectlt, selectne, selectnone, selectnotin, selectnotnone, selectrangeclosed, selectrangeopen, selectrangeopenleft, selectrangeopenright, selecttrue, selectusingcontext, rowlenselect, facet, biselect

[juarezr]

@l3str4nge,

Would you mind to review #681 ?

[l3str4nge]

Yes, sure. Sorry for the delay.