我正在尝试使用以下访问者限制用户提供的脚本:
class SyntaxChecker(ast.NodeVisitor):
def check(self, syntax):
tree = ast.parse(syntax)
print(ast.dump(tree), syntax)
self.visit(tree)
def visit_Call(self, node):
print('Called for Call', ast.dump(node))
if isinstance(node.func, ast.Call) and node.func.id not in allowed_functions:
raise CodeError("%s is not an allowed function!"%node.func.id)
elif isinstance(node.func, ast.Attribute) and node.func.value.id not in allowed_classes:
raise CodeError('{0} is not calling an allowed class'.format(node.func.value.id))
elif isinstance(node.func, ast.Name) and node.func.id in allowed_classes:
raise CodeError('You are not allowed to instantiate any class, {0}'.format(node.func.id))
else:
ast.NodeVisitor.generic_visit(self, node)
def visit_Assign(self, node):
print('Called for Assign', ast.dump(node))
ast.NodeVisitor.generic_visit(self, node)
def visit_Attribute(self, node):
print('Called for Attribute', ast.dump(node))
if node.value.id not in allowed_classes:
raise CodeError('"{0}" is not an allowed class'.format(node.value.id))
elif node.value.id in allowed_classes and isinstance(node.ctx, ast.Store):
raise CodeError('Trying to change something in a pre-defined class, "{0}" in "{1}"'.format(node.attr, node.value.id))
else:
ast.NodeVisitor.generic_visit(self, node)
def visit_Expr(self, node):
print('Called for Expr', ast.dump(node))
ast.NodeVisitor.generic_visit(self, node)
def visit_Name(self, node):
print('Called for Name', ast.dump(node))
if isinstance(node.ctx, ast.Store) and node.id in allowed_classes:
raise CodeError('Trying to change a pre-defined class, {0}'.format(node.id))
elif isinstance(node.ctx, ast.Load) and node.id not in safe_names and node.id not in allowed_functions and node.id not in allowed_classes:
raise CodeError('"{0}" function is not allowed'.format(node.id))
else:
ast.NodeVisitor.generic_visit(self, node)
def generic_visit(self, node):
print('Called for generic', ast.dump(node))
if type(node).__name__ not in allowed_node_types:
raise CodeError("%s is not allowed!"%type(node).__name__)
else:
ast.NodeVisitor.generic_visit(self, node)
if __name__ == '__main__':
# Check whole file
x = SyntaxChecker()
code = open(sys.argv[1], 'r').read()
try:
x.check(code)
except CodeError as e:
print(repr(e))
# Or check line by line, considering multiline statements
code = ''
for line in open(sys.argv[1], 'r'):
line = line.strip()
if line:
code += line
try:
print('[{0}]'.format(code))
x.check(code)
code = ''
except CodeError as e:
print(repr(e))
break
except SyntaxError as e:
print('********Feeding next line', repr(e))
它暂时没问题,我会更多地调整它,但问题是,在解析类似这样的事情时,它总会抛出SyntaxError('unexpected EOF while parsing', ('<unknown>', 1, 15, 'for j in A.b():'))
for j in A.b():
print('hey')
因此,不会解析for或if。
编辑:我已添加代码以立即检查整个代码,或检查多行语句。
答案 0 :(得分:3)
您正逐行解析代码,但for循环并不孤立。没有套件的for循环是语法错误。 Python期望找到一个套件并找到EOF(文件末尾)。
换句话说,您的解析器只能在一条物理线路上处理Simple Statements和独立Expressions,如果它们在同一行上直接跟随简单语句或表达式,则Compound Statements
您的代码也将失败:
多行字符串
somestring = """Containing more
than one
line"""
续行
if the_line == 'too long' and \
a_backslash_was_used in (True, 'true'):
# your code fails
somevar = (you_are_allowed_to_use_newlines,
"inside parentheses and brackets and braces")
使用ast.parse()逐行检查代码在这里不起作用;它仅适用于整个套房;在逐个文件的基础上,我只传入整个文件。
要逐行检查代码,您需要自己对其进行标记。您可以使用tokenize library;它会在语法错误上报告SyntaxError例外或tokenize.TokenError。
如果您想限制脚本,请查看asteval;项目本身或其源代码。他们解析整个脚本,然后根据生成的AST节点执行(限制他们接受的节点)。
答案 1 :(得分:0)
您可以使用ast.parse解析is instance(iterator,(Ast,if,Ast.For))。