DEV Community

Cover image for Code Smell 245 - exec() and eval()
Maxi Contieri
Maxi Contieri

Posted on • Originally published at maximilianocontieri.com

3

Code Smell 245 - exec() and eval()

A great door for hackers

TL;DR: Don't use metaprogramming. It is not that cool

Problems

  • Security

  • Limited Control

Solutions

  1. Use direct calls

  2. Wrap the execution in a primitive and controlled command

  3. Sanitize it

Context

Developers employ the eval() and exec() functions to evaluate arbitrary expressions from strings.

They can be a powerful tool in certain contexts but come with several risks and problems, especially when used with untrusted input or where the code's behavior is not fully controlled or understood.

Sample Code

Wrong

def calculate(mathOperand, firstArgument, secondArgument):
    return eval(f'{firstArgument} {mathOperand} {secondArgument}')

# Sample usage to multiply two numbers
result = calculate('*', 4, 6)

# Injection to remove all files
calculate('', "__import__('os').system('rm -rf *')",''))
Enter fullscreen mode Exit fullscreen mode

Right

def calculate(mathOperand, firstArgument, secondArgument):
    if mathOperand == '+':
        return firstArgument + secondArgument
    elif mathOperand == '-':
        return firstArgument - secondArgument
    elif mathOperand == '*':
        return firstArgument * secondArgument
    elif mathOperand == '/':
        if secondArgument != 0:
            return firstArgument / secondArgument
        else:
            return "Error: Division by zero"
    else:
        return "Error: Invalid operation - Do not hack!"

# This is a quick solution but another smell
# You should avoid this kind of switches and iterate to 
# a Polymorphic Hierarchy
Enter fullscreen mode Exit fullscreen mode

Detection

[X] Automatic

You can search for eval() in the code

Tags

  • Metaprogramming

Level

[x] Intermediate

AI Assistants

Most AI Assistants avoid using eval() in their solutions.

They also recognize it as a code smell and offer different options

Conclusion

Avoid this metaprogramming solution by hardcoding all the possible scenarios and avoiding over-generalizations.

Relations

More Info

Disclaimer

Code Smells are my opinion.

Credits

Photo by Yang on Unsplash


When you actually sit down to write some code, you learn things that you didn’t get from thinking about them in modeling terms…there is a feedback process there that you can only really get at from executing some things and seeing what works.

Martin Fowler


This article is part of the CodeSmell Series.

Redis image

Short-term memory for faster
AI agents 🤖💨

AI agents struggle with latency and context switching. Redis fixes it with a fast, in-memory layer for short-term context—plus native support for vectors and semi-structured data to keep real-time workflows on track.

Start building

Top comments (0)

Redis image

Short-term memory for faster
AI agents

AI agents struggle with latency and context switching. Redis fixes it with a fast, in-memory layer for short-term context—plus native support for vectors and semi-structured data to keep real-time workflows on track.

Start building

👋 Kindness is contagious

Dive into this thoughtful piece, beloved in the supportive DEV Community. Coders of every background are invited to share and elevate our collective know-how.

A sincere "thank you" can brighten someone's day—leave your appreciation below!

On DEV, sharing knowledge smooths our journey and tightens our community bonds. Enjoyed this? A quick thank you to the author is hugely appreciated.

Okay