Skip to content

Commit ea6a758

Browse files
Merge pull request #584 from nickila/okta_whitelist
Added whitelist for functions available inside of eval()
2 parents d79bdb0 + e126106 commit ea6a758

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

user_sync/connector/directory_okta.py

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -309,8 +309,15 @@ def iter_search_result(self, filter_string, attributes):
309309
return users
310310

311311
def filter_users(self, users, filter_string):
312+
# Allow the following builtin functions to be used in eval()
313+
whitelist = {
314+
"len": len, "int": int, "float": float, "str": str, "enumerate": enumerate, "filter": filter,
315+
"getattr": getattr, "hasattr": hasattr, "list": list, "map": map, "max": max, "min": min,
316+
"range": range, "sorted": sorted, "sum": sum, "tuple": tuple, "zip": zip
317+
}
318+
312319
try:
313-
return list(filter(lambda user: eval(filter_string), users))
320+
return list(filter(lambda user: eval(filter_string, {"__builtins__": whitelist}, {"user": user}), users))
314321
except SyntaxError as e:
315322
raise AssertionException("Invalid syntax in predicate (%s): cannot evaluate" % filter_string)
316323
except Exception as e:

0 commit comments

Comments
 (0)