Is eval Dangerous in Django

» django » Is eval Dangerous in Django

By : Narendra Kumar

Date : November 25 2020, 07:06 PM

I hope this helps . It is not dangerous in this specific case, if you are absolutely sure you completely control what is model.
However, I think it is better to avoir using eval when not needed, you can do something like this:

code :

Share :

How `eval()` is not 'dangerous' in this example

By : user3067115

Date : March 29 2020, 07:55 AM

it should still fix some issue The code is not safe in the slightest. It's relatively easy to get access to the builtins module just by accessing attributes of literals.
eg.

code :

result = eval("""[klass for klass in ''.__class__.__base__.__subclasses__()
            if klass.__name__ == "BuiltinImporter"][0].load_module("builtins")""",
    {"__builtins__":None},{})
assert result is __builtins__

Is javascript eval still dangerous if code is checked using (for example) jshint before eval?

By : Pkumar

Date : March 29 2020, 07:55 AM

like below fixes the issue User-provided text is never safe to eval, or at least should be considered never safe because the amount of effort you could put into proving safety far exceeds the amount of effort to accomplish what you want a different way.
JSHint looks at code syntax and (perhaps somewhat subjective) measures of quality, and malicious code is perfectly capable of satisfying those two things. For example, this is lovely code that may well do a lot of damage if you let me run it on your server:

code :

require('child_process').spawn('rm', ['-rf', '/']);

EVAL(). Is this dangerous?

By : Aaron Casper

Date : March 29 2020, 07:55 AM

fixed the issue. Will look into that further I can't see any reason for eval here at all.
You're trying to get the method on LP that corresponds to the LANGUAGE setting. So, you can use getattr:

code :

meth = getattr(LP, Language)
result = meth()

lang = os.environ["LANG"].rstrip('''\n''')
if lang.endswith(".UTF-8"):
    ...

Is Kotlin eval() dangerous?

By : Kieron

Date : March 29 2020, 07:55 AM

I hope this helps you . When using Kotlin for JavaScript projects the Kotlin code will be transpiled to JavaScript code. To provide full compatibility also eval() is available. And to answer the main question:
Yes, eval() used in Kotlin code is as dangerous as using it in JavaScript code and should be avoided for the same reasons you already mentioned in your question.

Is Javascript eval() so dangerous?

By : Eduardo Alvarez Pere

Date : March 29 2020, 07:55 AM

it helps some times You're right that an end user can easily execute arbitrary JavaScript anyway via the browser's developer console (I do this all the time). What you have to worry about is an attacker hijacking your feature that uses eval for his own ends.
The reason eval is generally considered dangerous is because it is very easy for untrusted code to sneak in. Consider a page that allows you specify input via query string, where the input box is prepopulated with the value in the query string.