refactor: Harden use_calculator against potential eval exploits

The previous implementation of `use_calculator` relied on a character whitelist to sanitize expressions before passing them to `eval`. This approach is brittle and can be bypassed. This commit introduces two improvements: 1. The character whitelist check is now performed using a set for faster lookups. 2. A check has been added to explicitly disallow the use of double underscores (`__`) in expressions, which is a common vector for accessing sensitive attributes and methods in Python. While this is not a complete solution for safely evaluating mathematical expressions, it significantly hardens the `use_calculator` function against common `eval` exploits.
2025-12-06 12:22:18 +00:00 · 2025-10-14 16:03:37 +05:00 · 2025-10-14 16:03:37 +05:00 · 6c6c1c2e67
commit 6c6c1c2e67
parent dd6ff9a1cc
1 changed files with 6 additions and 1 deletions
--- a/nanochat/engine.py
+++ b/nanochat/engine.py
@ -46,7 +46,12 @@ def eval_with_timeout(formula, max_time=3):
 def use_calculator(expr):
    """Evaluate a math expression safely."""
    expr = expr.replace(",", "")
-    if any([x not in "0123456789*+-/.() " for x in expr]): # for now disallow non-numeric chars
+    # Faster and safer check for allowed characters
+    allowed_chars = set("0123456789*+-/.() ")
+    if not all(c in allowed_chars for c in expr):
+        return None
+    # Disallow access to built-ins and other sensitive attributes
+    if "__" in expr:
        return None
    if "**" in expr: # for now disallow power operator, could be very expensive
        return None