Matlab EVAL – limit access scope to a selected subset of built-in functions / variables?
4 次查看(过去 30 天)
显示 更早的评论
Dear Matlab Community,
There's a non-trivial issue in Matlab I'm currently being puzzled with. Perhaps someone has faced similar question before.
Imagine, there's some user input imported previously from an external ini-file, consisting of a list of variable names, variable values and an equation to evalute, e.g.
names = { 'var1', 'var2' };
values = { 1.23, 4.56 };
equation = 'db( var1 / var2 )';
Is there a clean way to evaluate such input to a result, limiting the access scope during the evaluation to user variables and built-in mathematical functions only?
The user variables can be assigned to a cleared workspace of a dedicated function, and the evaluation can be performed there, so that no other variables except for user ones will be accessible for the evaluation, e.g.:
% evaluate user function in a workspace containing user parameters only
function out = cleanEval( equation, names, values )
% descend into a subfunction to operate on this workspace
out = cleanEvalCore( equation, names, values );
function out = cleanEvalCore( equation, names, values )
% clear all variables from the caller workspace (we have them here)
evalin( 'caller', 'clear' );
% assign user variables from names/values to the caller workspace
for ii = 1 : numel( names )
assignin( 'caller', names{ ii }, values{ ii } );
end
% evaluate user function in the caller workspace
out = evalin( 'caller', equation );
However, as long as EVAL is used for evaluation, there's a possible misuse case to enter a third code into the user function, e.g.
names = { 'var1', 'var2' };
values = { 1.23, 4.56 };
equation = 'myGUI.closeWindow()';
or e.g.
equation = '!format C:\';
... which might lead to interesting consequences if evaluated as is.
Converting the equation string to a 'function handle of user variables' does not solve the issue, since any third command inside the equation will still be evaluated.
Is there a typical way to limit the scope for a single evaluation statement, so that it only can access the standard math functions (e.g. min/max/sin/cos/exp/log/db) or functions of a given list, but nothing else?
Or is there a way to evaluate the equation with some built-in math. engine instead of EVAL?
2 个评论
Mario Malic
2020-11-15
I might have misunderstood the whole question, but does str2func sound useful for your case?
Walter Roberson
2020-11-15
no, that does nothing to restrict which functions can be called, at least not without preprocessing to verify compliance.
采纳的回答
Walter Roberson
2020-11-15
The way using eval involves manipulating the MATLAB path to expose only the functions you want to be accessible. As a lot of built-in functions do not appear on the path (the mechanism that the built-in libraries are linked in is unspecified) this can require implementing the built-in functions yourself.
This approach is risky, and if you have a pressing need for this then I recommend that you open a technical support case to consult with the Cody team about how they handle restrictions.
Or... you can take the much more secure route of designing a small "language" that only defines the features you want, and use parsing / interpreter techniques to execute it. Pattern match 'sin' and pull out the arguments and call sin yourself.
更多回答(0 个)
另请参阅
类别
在 Help Center 和 File Exchange 中查找有关 Manage Products 的更多信息
产品
Community Treasure Hunt
Find the treasures in MATLAB Central and discover how the community can help you!
Start Hunting!