fix: mitigate code injection related in #672

[juarezr]

This PR has the objective of .

Changes

1. mitigate code injection related in Code Injection via eval() in util.base.expr #672

Checklist

Use this checklist to ensure the quality of pull requests that include new code and/or make changes to existing code.

• Source Code guidelines:
  • Includes unit tests
  • New functions have docstrings with examples that can be run with doctest
  • New functions are included in API docs
  • Docstrings include notes for any changes to API or behavior
  • All changes are documented in docs/changes.rst
• Versioning and history tracking guidelines:
  • Using atomic commits whenever possible
  • Commits are reversible whenever possible
  • There are no incomplete changes in the pull request
  • There is no accidental garbage added to the source code
• Testing guidelines:
  • Tested locally using tox / pytest
  • Rebased to master branch and tested before sending the PR
  • Automated testing passes (see CI)
  • Unit test coverage has not decreased (see Coveralls)
• State of these changes is:
  • Just a proof of concept
  • Work in progress / Further changes needed
  • Ready to review
  • Ready to merge

[coveralls]

Pull Request Test Coverage Report for Build 16203809193

Details

• 97 of 136 (71.32%) changed or added relevant lines in 15 files are covered.
• 9 unchanged lines in 8 files lost coverage.
• Overall coverage decreased (-0.2%) to 90.924%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
petl/test/io/test_db_create.py	2	3	66.67%
petl/test/io/test_db_inference.py	14	16	87.5%
petl/test/util/test_base.py	26	41	63.41%
petl/util/base.py	28	49	57.14%

Files with Coverage Reduction	New Missed Lines	%
petl/io/remotes.py	1	84.95%
petl/test/io/test_db_create.py	1	93.23%
petl/test/io/test_numpy.py	1	98.43%
petl/test/io/test_pandas.py	1	93.33%
petl/test/io/test_pytables.py	1	98.15%
petl/test/io/test_whoosh.py	1	98.15%
petl/test/transform/test_intervals.py	1	97.73%
petl/test/io/test_remotes.py	2	88.89%

Totals
Change from base Build 15981322831:	-0.2%
Covered Lines:	13464
Relevant Lines:	14808

---

💛 - Coveralls

[l3str4nge]

 petl/util/__init__.py:4: in <module>
    from petl.util.base import Table, Record, values, header, data, \
E     File "/home/runner/work/petl/petl/petl/util/base.py", line 686
E       raise ValueError('Invalid expression: %s' % strexpr) from ve
E                                                               ^
E   SyntaxError: invalid syntax

Tests are failing 👀 however they are on the right way I guess 😄

[l3str4nge]

Imo it's still vulnerable, example:

"{__class__.__mro__[1].__subclasses__()[59]('/etc/passwd').read()}"

[l3str4nge]

Maybe you can use https://lmfit.github.io/asteval/ ?

[juarezr]

Imo it's still vulnerable, example:

"{__class__.__mro__[1].__subclasses__()[59]('/etc/passwd').read()}"

@l3str4nge,

You are correct.
I think this code wasn't meant to be used in unsafe environments.

Anyway, we have some possible approaches:

1. Add code like the above to mitigate somewhat the issue for current users.
2. Implement a second conditional version that uses asteval if available.
3. Deprecate the current mitigated code/approach and remove it in milestone v2.0 as it's planned for breaking changes.

Patches welcome. :)

[github-advanced-security]

Pylint (reported by Codacy) found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[github-advanced-security]

Pylintpython3 (reported by Codacy) found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.