f0655ee323
- Parse the config file with yaml.safe_load(), not yaml.load(). - Use YAML lists for the blacklist functions/imports plugins. - Add plugins to the ShellInjection profile in the config. - Don't blacklist user-defined methods named `eval`. Change-Id: I437eedc4bfd56c96116cb92fe555968cf0f8dd63
16 lines
283 B
Python
16 lines
283 B
Python
import os
|
|
|
|
print(eval("1+1"))
|
|
print(eval("os.getcwd()"))
|
|
print(eval("os.chmod('%s', 0777)" % 'test.txt'))
|
|
|
|
|
|
# A user-defined method named "eval" should not get flagged.
|
|
class Test(object):
|
|
def eval(self):
|
|
print("hi")
|
|
def foo(self):
|
|
self.eval()
|
|
|
|
Test().eval()
|