Re: [Pyparsing] Question/help with pyparsing

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>> Have you considered using codeop.py to attempt to compile their Python
list and dict code?  

That's a good idea. My current plan is to use part of the following receipe:

http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/496746

with the followin restrictions

unallowed_ast_nodes = [
    'Backquote',
    'Exec',
    'From',
    'Global'
    'GenExpr', 'GenExprFor', 'GenExprIf', 'GenExprInner',
    'Getattr'
    'Import',
    'Power',    
   'TryExcept', 'TryFinally',
   'Yield'
]

# Deny evaluation of code if it tries to access any of the following
builtins:
unallowed_builtins = [
    '__import__',
    'chr',
   'apply', 'basestring', 'buffer',
   'callable', 'chr', 'classmethod', 'coerce',
   'compile',
   'complex',
   'delattr',
   'dir',
   'divmod',
   'eval', 'execfile', 'file',
   'filter', 'frozenset',
   'getattr', 'globals', 'hasattr',
   'hex', 'id',
   'input',
   'intern', 'isinstance', 'issubclass',
   'locals',
   'map', 'object', 'oct',
   'open',
   'ord', 'pow', 'property', 'range',
   'raw_input',
   'reduce',
   'reload',
   'repr', 'reversed', 'round', 'set',
   'setattr',
   'staticmethod', 'super',
   'type', 'unichr', 'unicode',
   'vars',
   'zip'
]

I will also check check for use of * and ** with pyparsing. I will replace
both of these with my wrappers around them to make sure that there are no
cases for:

20000**11111111111111111111111111111111111
[1]*11111111111111111111111111111111111

etc. 

I think given this, I should be able to run untrusted code. 

Thanks,

Vineet