The root of all eval()

[HughBanton]

Made a discovery the other day, I had no idea you could do this with Ruby. (But then there's lots & lots I don't know ... > Lots. )

eval_dem.fsm

(451 Bytes) Downloaded 479 times

In my example you can write a regular text list containing expressions, and then select one of them.

A bit like the new Eval prim in the FS Alfa, eval() enables Ruby to run code that has been written as text somewhere else, outside of its own regular 'red' editor. In this instance it comes from a text box, but it could actually be sourced from anywhere. So this is really flexible - with this arrangement you can enter any valid Ruby code through an S input and eval() will execute it; my code-selector example is just one possibility.

However ...

I put up something similar on Discord, and got an immediate warning from Myco (The Boss!), with a link to an 'Eval is Evil' site! Omg Omg . (Google that phrase - there's lots of them).

The point is, always, that if you allow external code to enter an eval() in Ruby then it's going to get executed, and if you take no precautions it could allow for something malicious to enter. It's a lesson heeded because my plan is - guess what! - to make something like this that decodes some form of 'config' text file, in order to set up various input parameters and maybe switching-equations. Seems like I'm going to need to introduce some careful parsing/filtering to make it safe ...

H

[DaveyBoy]

Hi Hugh
I have succesfully used this method for storing drum machine songs/patterns and other settings in a config file and it works like a charm.
As this is only used by me I don't see an issue with the vulnerabilities. If however this was released to the public then obviously it would be a concern.

I'm wondering is it possible to encode the file somehow so that it is not saved as plain text . . . or would that make no difference?

Hoping one of the Ruby experts can advise

[RJHollins]

Pretty Cool !

[tulamide]

Some time back, eval() came up here on the forums as well, and I also warned harshly! It cannot be stressed enough, how dangerous it is to use it, especially when you are not a Ruby Pro (none of us here is, that's the level of Pro I mean).

Just two lines of code can erase a users whole harddisk for example. Installing a trojan would be easy, and so on. Don't use eval().

[tulamide]

As this is only used by me I don't see an issue with the vulnerabilities. If however this was released to the public then obviously it would be a concern.

If there is no user access at all, it is safe. If the files you write to are not part of the evaluation, it should be safe. As soon as user input is involved, it is highly dangerous.

[DaveyBoy]

Thanks for the heads up Tula, confirms my thoughts.
I have been experimenting with the green text prim that Hugh is using in his example.
Strings can be formatted and written to the prim(s) and evaluated when required.
The data is saved when powered off so this could be used as a safe 'internal' config or memory component without the need to write to file which can obviously be interfered with.

I'm also thinking that that this could form the basis of a custom preset manager

[HughBanton]

Some time back, eval() came up here on the forums as well, and I also warned harshly!

Thanks T, we just luv it when you talk harsh.

https://xkcd.com/327/

I'll be sure to sanitize my inputs

H