Some denial-of-service ideas from a related project

[ptmcg]

Congrats on asteval! I made an even more minimal safe eval in my plusminus project (https://github.com/pyparsing/plusminus). In particular, I added some DoS guards around exponentiation that you might want to borrow for this project. These guards work using detection of 1 and 0 exponent values that can be used to reduce the complexity of an expression (9**9**9 is not accepted, but 9**9**9**0 is, since this reduces to 9**9**1 or just 9**9). Plusminus also has an open "try and break this" web page here: https://ptmcg.pythonanywhere.com/plusminus You can enter "9**9**9" and "9**9**9**0" and see what you get.

One problem I had with plusminus is, once you get started writing your own parser, you get drunk with power! plusminus adds a bunch of notation that goes beyond Python's arithmetic expressions: absolute value using |x|, square root and cube root using √ and ³√, set operators (∩ & ∪ | - ^ ∆ ∈ ∉), constants (π e τ φ), factorial (!), degree-to-radian conversion using ° operator, common superscripts as exponents (⁻¹ ⁰ ¹ ² ³). Well, you see what I mean.

Best of luck with your project!

[newville]

@ptmcg Thanks, For denial-of-service errors with exponentiation, we use a runtime check that the value of the exponent cannot exceed 10,000. So, "9**9**5" does fail at runtime. We also use a runtime check that printable output cannot exceed a certain length.

So, we try to handle the problems we know about. But we also admit that we probably don't handle the problem we don't know about.

Handling and using non-ASCII operators and symbols is always fun. ;)

It turns out that I wrote asteval after trying pretty hard to use pyparsing. The extended 4-function calculator is not too hard, but adding loops and conditionals gets pretty challenging.... AST is just way better for that.