1

I'm working on a bot in Perl (based on POE) and so far so good, but I can't figure out how can I add a !js or !perl command to evaluate respective code and return one line of output to be printed into the channel. I found App::EvalServer but I don't get how to use it.

Thanks for any help!

simbabque
  • 53,749
  • 8
  • 73
  • 136
argoneus
  • 1,097
  • 2
  • 13
  • 24
  • 1
    `!perl system('rm -rf /')` - this is not the best idea imho, but in a save environment it might be ok. – simbabque Jun 24 '12 at 20:45
  • Be careful when evaluating code. You can't trust user input. Only evaluate code on a safe, distant environment, or only allow trusted people to do it. – Madara's Ghost Jun 24 '12 at 20:53
  • Thing is, I don't even know how to do it. I don't know how to evaluate Perl/JS code in Perl. :/ – argoneus Jun 24 '12 at 20:55
  • 1
    @argoneus That's probably a good thing! Allowing people to `eval` arbitrary perl code sounds like a horribly unsafe idea. All it takes is one user having a bad password. – TLP Jun 24 '12 at 21:00

2 Answers2

3

The App::EvalServer module comes with a binary to run as a standalone application. You do not put it in your program but rather run it on it's own. It opens a port where you can hand it code as a json string. This does not sound like a good idea to me either.

There is another module you might want to look at called Safe. I suggest you read through the complete documentation as well as the one to Opcode (linked in the doc) before you do anything with this. YOU CAN DO SERIOUS DAMAGE IF YOU EVALUATE ARBITRARY CODE! Never forget that.

UPDATE:

Here's an example of how to capture the output of print or say from your evaled code. You can use open with a variable to make printed output always go to that variable. If you switch back afterwards you can work with the captured output in your var. This is called an in-memory file.

use strict; use warnings;
use feature 'say'; 
use Safe;

# Put our STDOUT into a variable
my $printBuffer;
open(my $buffer, '>', \$printBuffer);
# Everything we say and print will go into $printBuffer until we change it back
my $stdout = select($buffer);

# Create a new Safe
my $compartment = new Safe;
$compartment->permit(qw(print)); # for testing

# This is where the external code comes in:
my $external_code = qq~print "Hello World!\n"~;

# Execute the code
my $ret = $compartment->reval($external_code, 1);

# Go back to STDOUT
select($stdout);

printf "The return value of the reval is: %d\n", $ret;
say "The reval's output is:";
say $printBuffer;

# Now you can do whatever you want with your output
$printBuffer =~ s/World/Earth/;
say "After I change it:";
say $printBuffer;

Disclaimer: Use this code at your own risk!

Update 2: After a lengthy discussion in chat, here's what we came up with. It implements a kind of timeout to stop the execution if the reval is taking to long, e.g. because of an infinite loop.

#!/usr/bin/perl
use warnings;
use strict;
use Safe;
use Benchmark qw(:hireswallclock);

my ($t0, $t1); # Benchmark
my $timedOut = 0;
my $userError = 0;
my $printBuffer;
open (my $buffer, '>', \$printBuffer);
my $stdout = select($buffer);
my $cpmt = new Safe;
$cpmt->permit_only(qw(:default :base_io sleep));
eval
{
        local $SIG{'ALRM'} = sub { $timedOut = 1; die "alarm\n"};
        $t0 = Benchmark->new;
        alarm 2;
        $cpmt->reval('print "bla\n"; die "In the user-code!";');
#         $cpmt->reval('print "bla\n"; sleep 50;');
        alarm 0;
        $t1 = Benchmark->new;
        if ($@)
        {
                $userError = "The user-code died! $@\n";
        }
};
select($stdout);


if ($timedOut)
{
        print "Timeout!\n";
        my $td = timediff($t1, $t0);
        print timestr($td), "\n";
        print $printBuffer;
}
else
{
        print "There was no timeout...\n";
        if ($userError)
        {
                print "There was an error with your code!\n";
                print $userError;
                print "But here's your output anyway:\n";
                print $printBuffer;
        }
        else
        {
          print $printBuffer;
        }
}
simbabque
  • 53,749
  • 8
  • 73
  • 136
  • I tried using this, but when I did !perl print "bla", it printed 'bla' only in my console.. I was using the opcodes :default and :base_io. Any idea why? – argoneus Jun 25 '12 at 12:03
  • I think this depends on your definition of eval. If you want it to print stuff to IRC, you need to tell it to do that. When you eval a print in the `Safe`, it will most likely not print that to your IRC connection. You need to catch what the eval says and send that to the IRC. Again, **be careful**! With this it might also be possible to find weaknesses in your software if the right code is `eval`ed. – simbabque Jun 25 '12 at 12:14
  • Well, I did `$result = $compartment->reval($code)` and then sent `$result` to IRC, but when I do !perl print "bla", instead of printing "bla" on irc it prints "1". But when I `print $result` in my bot before sending it to irc, it shows the correct output "bla".. Any idea why could that be? – argoneus Jun 25 '12 at 12:26
  • In the [doc](http://search.cpan.org/~rgarcia/Safe-2.33/Safe.pm#reval_%28STRING,_STRICT%29) it says *"the method returns the value of the last expression evaluated"*, which in case of `print` is 1 if the `print` succeeded. You could try opening a filehandle to write to a variable in your outside code, use `[share](http://search.cpan.org/~rgarcia/Safe-2.33/Safe.pm#share_%28NAME,_...%29)` to get that into the compartment and replace the `eval`'s `STDOUT` with it each time you `eval` something. – simbabque Jun 25 '12 at 12:50
  • Could you elaborate please? I have no idea what you mean >. – argoneus Jun 25 '12 at 13:16
  • I'll change my post. It's actually a bit simpler than what I first thought. – simbabque Jun 25 '12 at 15:16
  • What exactly does `my $stdout = select($buffer);` do? The way I understand is that when you later to `select($stdout);` you will re-switch to `$buffer`, no? – argoneus Jun 25 '12 at 16:57
2

Take a look at perl eval(), you can pass it variables/strings and it will evaluate it as if it's perl code. Likewise in javascript, there's also an eval() function that performs similarly.

However, DO NOT EVALUATE ARBITRARY CODE in either perl or javascript unless you can run it in a completely closed environment (and even then, it's still a bad idea). Lot's of people spend lots of time preventing just this from happening. So that's how you'd do it, but you don't want to do it, really at all.

Jon Lin
  • 142,182
  • 29
  • 220
  • 220