Module that contains the logic for evaluating expressions in the template.
Expression evaluation is done without using a real python eval to keep it safe from arbitrary code execution
Both parameter values and functions are stored in a dict that is passed to the Expression object when it is executed. The expressions should not allow access to anything outside this dict, and only sane access to objects reachable from this dict.
Parameter lookup gets list and dict items as well as object attributes. It does not allow accessing private attributes (starting with "_") or or code objects (object method of function) - callable objects on the other hand can be accessed.
We control execution by only executing functions that are specifically whitelisted as being an ExpressionFunction (can be used as decorator). The expression classes have builtin support for some builtin methods on strings, lists and dicts (see ExpressionString, ExpressionDict and ExpressionList respectively), other functions can be supplied in the context dict or as object attributes.
The biggest risks would be to put objects in the dict that allow access to dangerous methods or private data. Or to have functions that e.g. eval one of their arguments or take a callable argument
The idea is that objects in the expression dict are proxies that expose a sub set of the full object API and template friendly methods. These restrictions hsould help to minimize risk of arbitrary code execution in expressions.
| Class | BoundExpressionFunction |
Wrapper used by ExpressionFunction when used as a decorator for object methods. |
| Class | Expression |
Base class for all expressions |
| Class | ExpressionDictObject |
Proxy for dict objects that gives safe methods for use in expressions. |
| Class | ExpressionFunction |
Wrapper for methods and functions that whitelists functions to be called from expressions |
| Class | ExpressionFunctionCall |
Expression with a function name and arguments, recurses for the arguments and evaluates the function. |
| Class | ExpressionList |
Expression for a list of expressions, recurses on all items when evaluated |
| Class | ExpressionListObject |
Proxy for list objects that gives safe methods for use in expressions. |
| Class | ExpressionLiteral |
Expression with a literal value |
| Class | ExpressionObjectBase |
Base method for wrapper objects that are used to determine the safe functions to call on objects in the parameter dict. |
| Class | ExpressionOperator |
Expression for an operator statement (e.g. "AND", "OR", "<"), recurses for left and right side of the expression. |
| Class | ExpressionParameter |
Expression with a parameter name, evaluates the parameter value |
| Class | ExpressionStringObject |
Proxy for string objects that gives safe methods for use in expressions. |
| Class | ExpressionUnaryOperator |
Expression with a unary operator (e.g. "NOT") that recurses for the right hand side of the statement. |
| Variable | logger |
Undocumented |