A common feature in many scripting languages is an eval function. Pass it a string representing source code, and the function will compile it and then interpret it. This function is called eval if the source code string represents an expression that produces a value, and might be called exec if it does not.
Eval is controversial and much-maligned because it is (1) so often abused, (2) so often used when much better alternatives exist, (3) is slow, and (4) can lead to disaster if misused. It is not rare to hear the claim "eval is evil." So the questions are: should a language allow eval and if so, how should this feature be designed?
Problems with eval
Things to watch out for:
- Eval is slow because a compiler has to be launched to lex and parse the code string, prior to evaluating it.
- Eval is lame because programmers may sometimes use eval without thinking. While it would be rare for anyone to blatantly pass a fixed string to eval, such as
eval("x = 3;");one can usually get away with creating an anonymous function.
- Eval is a security hole. Since the only reason for using eval is to run code that is supplied at run time, it's possible that this code may come from an untrusted or malicious source. Allowing just anyone to run code on your own machine is crazy.
When is eval not evil?
If you are going to use eval, the string must be completely sanitized. You need to check it for infinite loops, assignments, or calls with side-effects that might destroy the integrity of your application. For example, here is a JavaScript application that accepts an arithmetic expression from a user and evaluates it, first checking to make sure the input consists only of digits, parentheses, and the four basic arithmetic operators:
var s = prompt("Enter a numeric formula");
if (/[^\d()+*/-]/.test(s)) {
alert("I don't trust that input");
} else {
alert(eval(s));
}
Eval and Language Design
Either a language will allow evaluation of code strings or it will not. If it does, we can provide that functionality through a function or an operator. Because it is dangerous, it is definitely a candidate construct for being required to appear inside a "warning" construct, or similarly, disallowed from strict modes. Examples:
UNSAFE module Calcuator {
....
// use eval here
....
}
use module UNSAFE;
application Calcuator {
....
// use UNSAFE.eval here
....
}
Eval as a function
Generally, we see eval as a global function, or a member of a module entitled something like Kernel, System, or perhaps better, UNSAFE.
Eval as an operator
Another way to call attention to the use of eval is to simply make it a unary operator on strings. Perhaps:
var s = prompt("Enter an expression");
alert( `` s );
Alternatively, we might see the string to be evaled enclosed in angle or other brackets.
Disallowing Eval
Clearly we could imagine a language without an eval function or operator. C is one such language.
Forced Sanitization
An interesting new idea is for the eval function to take a second parameter which is (1) a block or anonymous function that performs sanitization, or (2) a regex which will be applied to the string so that the string will only be applied if the regex pattern matches. Example:
var s = prompt("Enter a numeric formula");
alert(eval(s, /[^\d()+*/-]/));
Throwing an exception on not matching would likely be the best course of action here.
No comments:
Post a Comment