Support

If you have a problem or need to report a bug please email : support@dsprobotics.com

There are 3 sections to this support area:

DOWNLOADS: access to product manuals, support files and drivers

HELP & INFORMATION: tutorials and example files for learning or finding pre-made modules for your projects

USER FORUMS: meet with other users and exchange ideas, you can also get help and assistance here

NEW REGISTRATIONS - please contact us if you wish to register on the forum

Users are reminded of the forum rules they sign up to which prohibits any activity that violates any laws including posting material covered by copyright

The root of all eval()

Post any examples or modules that you want to share here

The root of all eval()

Postby HughBanton » Thu Sep 15, 2022 11:57 am

Made a discovery the other day, I had no idea you could do this with Ruby. (But then there's lots & lots I don't know ... :roll: > Lots. )
eval_dem.fsm
(451 Bytes) Downloaded 481 times

In my example you can write a regular text list containing expressions, and then select one of them.

A bit like the new Eval prim in the FS Alfa, eval() enables Ruby to run code that has been written as text somewhere else, outside of its own regular 'red' editor. In this instance it comes from a text box, but it could actually be sourced from anywhere. So this is really flexible - with this arrangement you can enter any valid Ruby code through an S input and eval() will execute it; my code-selector example is just one possibility.

However ...

I put up something similar on Discord, and got an immediate warning from Myco (The Boss!), with a link to an 'Eval is Evil' site! Omg Omg :oops: . (Google that phrase - there's lots of them).

The point is, always, that if you allow external code to enter an eval() in Ruby then it's going to get executed, and if you take no precautions it could allow for something malicious to enter. It's a lesson heeded because my plan is - guess what! - to make something like this that decodes some form of 'config' text file, in order to set up various input parameters and maybe switching-equations. Seems like I'm going to need to introduce some careful parsing/filtering to make it safe ...

H
Attachments
eval_dem.fsm
(436 Bytes) Downloaded 493 times
User avatar
HughBanton
 
Posts: 265
Joined: Sat Apr 12, 2008 3:10 pm
Location: Evesham, Worcestershire

Re: The root of all eval()

Postby DaveyBoy » Fri Sep 16, 2022 5:39 pm

Hi Hugh
I have succesfully used this method for storing drum machine songs/patterns and other settings in a config file and it works like a charm.
As this is only used by me I don't see an issue with the vulnerabilities. If however this was released to the public then obviously it would be a concern.

I'm wondering is it possible to encode the file somehow so that it is not saved as plain text . . . or would that make no difference?

Hoping one of the Ruby experts can advise :D
User avatar
DaveyBoy
 
Posts: 131
Joined: Wed May 11, 2016 9:18 pm
Location: Leeds UK

Re: The root of all eval()

Postby RJHollins » Fri Sep 16, 2022 7:10 pm

Pretty Cool !

8-)
RJHollins
 
Posts: 1571
Joined: Thu Mar 08, 2012 7:58 pm

Re: The root of all eval()

Postby tulamide » Sat Sep 17, 2022 8:16 pm

Some time back, eval() came up here on the forums as well, and I also warned harshly! It cannot be stressed enough, how dangerous it is to use it, especially when you are not a Ruby Pro (none of us here is, that's the level of Pro I mean).

Just two lines of code can erase a users whole harddisk for example. Installing a trojan would be easy, and so on. Don't use eval().
"There lies the dog buried" (German saying translated literally)
tulamide
 
Posts: 2714
Joined: Sat Jun 21, 2014 2:48 pm
Location: Germany

Re: The root of all eval()

Postby tulamide » Sat Sep 17, 2022 8:18 pm

DaveyBoy wrote:As this is only used by me I don't see an issue with the vulnerabilities. If however this was released to the public then obviously it would be a concern.

If there is no user access at all, it is safe. If the files you write to are not part of the evaluation, it should be safe. As soon as user input is involved, it is highly dangerous.
"There lies the dog buried" (German saying translated literally)
tulamide
 
Posts: 2714
Joined: Sat Jun 21, 2014 2:48 pm
Location: Germany

Re: The root of all eval()

Postby DaveyBoy » Sun Sep 18, 2022 2:53 am

Thanks for the heads up Tula, confirms my thoughts.
I have been experimenting with the green text prim that Hugh is using in his example.
Strings can be formatted and written to the prim(s) and evaluated when required.
The data is saved when powered off so this could be used as a safe 'internal' config or memory component without the need to write to file which can obviously be interfered with.

I'm also thinking that that this could form the basis of a custom preset manager :D
User avatar
DaveyBoy
 
Posts: 131
Joined: Wed May 11, 2016 9:18 pm
Location: Leeds UK

Re: The root of all eval()

Postby HughBanton » Sun Sep 18, 2022 1:39 pm

tulamide wrote:Some time back, eval() came up here on the forums as well, and I also warned harshly!

Thanks T, we just luv it when you talk harsh.

https://xkcd.com/327/ :lol:

I'll be sure to sanitize my inputs 8-)

H
User avatar
HughBanton
 
Posts: 265
Joined: Sat Apr 12, 2008 3:10 pm
Location: Evesham, Worcestershire


Return to User Examples

Who is online

Users browsing this forum: No registered users and 51 guests