Simple calculator using eval

eval is much too powerful for a calculator. If there is any chance at all that the program will be used by a hostile user, then you must not use eval. Your program allows the user to execute any Ruby code that can fit on one line.

Furthermore, any attempt to sandbox eval in Ruby would be hopeless. Consider that numbers are objects that have powerful methods. Try entering this as input:

3.send(:eval, "File.delete('/tmp/dummy.txt')")

That would delete the file /tmp/dummy.txt if the user has the filesystem permissions to do so.

I do not know Ruby, but from my Python knowledge, it is not good to use eval in a real program. When you use eval, it executes the code directly, so accidental/experimental input can have unwanted results, or even destroy the system. Also, this has the potential for a hacker who has limited access to the system to run this program and do whatever they want as long as they have access to it, instead of cracking in deeper and doing whatever they are trying to do.

See this question for a detail discussion about eval in Ruby.

This question is about python, but also has good points.

• \$\begingroup\$ Why do they make eval so strong? Why not just make it evaluate a mathematical expression? That's what it's going to be used for in most cases anyways, right? \$\endgroup\$

  BWG

  – BWG

  2015年02月16日 23:39:30 +00:00

  Commented Feb 16, 2015 at 23:39
• 1
  \$\begingroup\$ I don't know, I don't know, and I don't know. \$\endgroup\$

  user34073

  – user34073

  2015年02月17日 00:02:20 +00:00

  Commented Feb 17, 2015 at 0:02
• \$\begingroup\$ @BWG because the language designers who think eval is a good thing are idiots. Almost every scripting language supports eval and people use it, so why not implement it? \$\endgroup\$

  Cole Tobin

  – Cole Tobin

  2015年02月17日 01:45:53 +00:00

  Commented Feb 17, 2015 at 1:45

• ruby
• security
• calculator