[Rd] Operator masks in R, restrict set of applicable functions

Michael Dondrup michael.dondrup at cebitec.uni-bielefeld.de
Mon Mar 27 10:22:33 CEST 2006


Hi,
is there a way to restrict the set of admissible functions for an eval() 
statement to a possibly 'safe' set, excluding all potentially dangerous 
functions like 'system', 'open', etc.(like, for instance, in the 'Safe' 
module for Perl)?

The background for this question is, that this would be run in a 
CGI-environment. The user should be able to input some R-code (a 
function assignment), thereafter the code is parsed, evaluated and the 
type of function parameters checked by a call to 'formals'
like in:
 > expr <- parse(text='foo <- function(x = numeric()){mean(x)}')
 > eval(expr[1])
 > formals(foo)
$x
numeric()

of course, this is highly dangerous, given this setting, as one could try
 > expr <- parse(text='system("ls");
foo <- function(x = numeric()){mean(x)}') # or more evil things
 > eval(expr)

I know I could do something like
 > system <- function(...) stop ('This is not allowed!')
but it's rather likely to miss one of the 'bad' functions.

Any ideas would be appreciated.

Regards
Michael Dondrup



More information about the R-devel mailing list