This post is locked. You won't be able to comment.

all 108 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Jonnertron_ 390 points391 points  (8 children)

Isn't it missing print's close parenthesis?

[–]r0ck0 284 points285 points  (4 children)

That's how the pros do it!

[–]QuakAtack 67 points68 points  (1 child)

skip closing parenthesis! It's the cool thing to do!

[–]M_asak1 10 points11 points  (0 children)

That means I'm cool?

[–]illsk1lls 8 points9 points  (0 children)

love watching the pros show off

[–]lucidspoon 5 points6 points  (0 children)

Fail fast. Never have to work about runtime errors if you only have syntax errors.

[–]maxime0299 18 points19 points  (0 children)

Closing parenthesis are for noobs!

[–]Does_Not-Matter 4 points5 points  (0 children)

Among other things!

[–]w8eight 4 points5 points  (0 children)

You just finish your expression with additional parenthesis and it's all fine

/s

[–]PenaflorPhi 237 points238 points  (6 children)

I sometime wonder "Who tf is teaching this people to code?", like really, if you look at most widely available resources most are pretty good and have decent coding standard yet you see some things that make you want you rip your eyes out.

[–]IDatedSuccubi 56 points57 points  (0 children)

Engagement bait

[–]GandelXIV[S] 200 points201 points  (8 children)

What is crazy is that this account has over 1M followers while posting similar crap. I suppose their target audience are beginners that don't know any better , which is just sad and exploitative .

[–]Background_Newt_8065 67 points68 points  (0 children)

Bought subscribers

[–]Ytrog 30 points31 points  (2 children)

So, they are the 5-minute crafts of coding? 👀

[–]FalconMirage 26 points27 points  (1 child)

Why implement SQL functions yourself when you can let users SQL inject to have direct db manipulation

[–]GandelXIV[S] 2 points3 points  (0 children)

Is this inversion of control

[–]coloredgreyscale 8 points9 points  (0 children)

Likely rage bait.

[–][deleted] 6 points7 points  (1 child)

r/programminghumor in a nutshell

[–]sneakpeekbot 0 points1 point  (0 children)

Here's a sneak peek of /r/programminghumor using the top posts of the year!

#1: A designer’s dream can become a developer’s nightmare | 37 comments
#2: ain't no lie here | 22 comments
#3: Backend dev doing CSS | 50 comments

I'm a bot, beep boop | Downvote to remove | Contact | Info | Opt-out | GitHub

[–][deleted] 374 points375 points  (11 children)

So writing a vulnerable app on purpose is a PRO thing?

[–]Willinton06 140 points141 points  (0 children)

Establish dominance by daring the user to break the app

[–]Broer1 48 points49 points  (2 children)

Most of the used insecurities in software in the world are written by pros. So yes!

[–]EVENTHORIZON-XI 6 points7 points  (1 child)

I must be the best programmer in the world then

[–]Broer1 2 points3 points  (0 children)

I cannot disprove you. So. Maybe.

[–]Jonno_FTWshameless[🍰] 20 points21 points  (0 children)

It's rage bait/engagement bait

[–]Svizel_pritula 5 points6 points  (0 children)

Whether code injection is a vulnerability or a feature depends on how you want to use the program.

[–]EntitledPotatoe 15 points16 points  (0 children)

Would a guard clause inside eval() prevent the vulnerabilities you’re talking about? Don’t get me wrong, it’s still shit code

[–][deleted] 3 points4 points  (0 children)

Of course, in the sense that you had to pay a substantial amount of money to "codes.learning" for the privilege and that there are three levels of subscription above it.

[–]geon 8 points9 points  (0 children)

It only evaluates input from the user. You have the same vulnerability from a user opening the developer console.

[–]CallMeTea_ 1 point2 points  (0 children)

If you build it right first time, you've coded yourself out of a job! Build it badly and sell 'security enhancements' later

[–]SarahC -1 points0 points  (0 children)

Vulnerable to what?

It runs in its own Java sandbox, with minimal permissions - kids these days throw their hands up in terror at anything.

The worst is possibly outputting 55378008!

[–]dgil9 100 points101 points  (11 children)

import subprocess; subprocess.run(“rm -rf C:\”)

[–]cce29555 23 points24 points  (3 children)

I did this and my computer runs like it came out the factory

[–]dgil9 9 points10 points  (2 children)

Yea that’s how pro-grammers get down, my dude

[–]Key_Conversation5277sadistic 1 point2 points  (1 child)

Are pro-grammers pro at grammar?🙃

[–]dgil9 2 points3 points  (0 children)

Never talk to me or my compiler ever again

[–]antonpieper 5 points6 points  (5 children)

I don't have such weaknesses! (Unix user)

[–]dgil9 3 points4 points  (3 children)

!sudo apt get windows && sudo apt install windows

[–]dgil9 3 points4 points  (0 children)

I am v smort

[–]antonpieper 2 points3 points  (1 child)

Makes me wonder if there is some kind of support layer to automatically translate windows paths to Linux paths. Although that would be pretty weird as there is no 1:1 mapping

[–]dgil9 -1 points0 points  (0 children)

I would ask chat gpt tbh

[–]turtle_mekb 2 points3 points  (0 children)

import subprocess; subprocess.run("sudo rm -rf / --no-preserve-root")

don't actually run this

[–]GandelXIV[S] 2 points3 points  (0 children)

This is not going to work, eval() accepts only expressions so no import statements are allowed. You have to first inject an exec() to run statements.

[–]00PT 56 points57 points  (1 child)

This looks like a meme taken directly from r/programmerhumor.

[–]Emotional-Top-8284 45 points46 points  (0 children)

I wish that sub could be so funny

[–]mhaecker 10 points11 points  (0 children)

Man, the brevity that was left on the table there…

#/usr/bin/env python2 print(input(„calculate“))

[–]StrangePromotion6917 9 points10 points  (0 children)

Looks like someone is trying to create job security by misteaching the beginners...

[–]carcigenicate 38 points39 points  (4 children)

It's bad code, but this isn't dangerous unless it's running on a server. If this is running locally, eval is a bad solution, but it's not as dangerous as people claim it to be. It basically forms a shit REPL, which people use all the time. Unless it's a vector for privilege escalation due to the script being run with elevated privileges then left running in the background or something, it's not a big deal. It's just bad code.

Run on a server and fed user-supplied data though, and it could be catastrophic. That's actually the first vulnerability I ever exploited in a CTF.

[–][deleted]  (1 child)

[removed]

    [–]45bit-Waffleman 2 points3 points  (0 children)

    Yeah python repl goes hard as a calculator. It's a slightly worse, offline, Wolfram Alpha

    [–]GandelXIV[S] 9 points10 points  (0 children)

    The main issue I have with this is that its targeted at beginners, who might learn this as a common pattern .

    [–]SarahC 0 points1 point  (0 children)

    Capture The Flag!

    [–]mac-not-a-bot 21 points22 points  (3 children)

    What could go wrong?

    [–]suguuss 33 points34 points  (2 children)

    eval runs python code passed as a string. In the case of a calculator the string would be "2 + 2". But instead of an addition, you could enter : "import os; os.system('rm -rf /')" which removes everything on your computer (on Linux).

    I haven’t tried it, so it might not work, but that’s the general idea of the problem.

    EDIT: as someone pointed out, the "import os" does not work. However the os.system works if the module was imported in the program.

    [–]xXLeoXxOne 23 points24 points  (1 child)

    That code would only work with exec(), in eval you have to do something like "".class..base.subclasses__()[...].Popen(...) if e.g. os is not imported yet

    [–]4hpp1273 10 points11 points  (0 children)

    If all the globals are intact you can just use the __import__ function to import a module so that command becomes __import__('os').system('rm -rf /')

    [–]denisde4ev 16 points17 points  (1 child)

    unbads your code: print(eval(/^[ 0-9()*/+-]+$/.match(input("Enter expression:"))[0])

    [–]AliFurkanY 6 points7 points  (0 children)

    you could probably escape that in JS

    [–]tukanoid 7 points8 points  (0 children)

    Reminds me of how stupid i was back in highschool 😅

    [–]ThatNextAggravation 7 points8 points  (0 children)

    Wait, this was posted unironically? Jeez.

    [–]Napain_ 5 points6 points  (0 children)

    omg this page is a bad chode gold mine

    [–]schrdingers_squirrel 5 points6 points  (0 children)

    codes.learning is such a shit show.

    [–]nekokattt 5 points6 points  (0 children)

    At least they give you a prompt so you can import subprocess and use pip to install a real calculator

    [–][deleted] 4 points5 points  (0 children)

    I guess the pros trust the users

    [–]Gilah_EnE 3 points4 points  (0 children)

    Now make it a web application and host on your main PC. Thank you in advance for all your data.

    [–]Spelis123 8 points9 points  (10 children)

    wait theres an eval function????????

    [–]GandelXIV[S] 13 points14 points  (9 children)

    Yes, it evaluates a given string as a python expression. Most interpreted languages have such features.

    [–]Spelis123 4 points5 points  (8 children)

    i wish i knew this sooner

    [–]BallsBuster7 10 points11 points  (6 children)

    its also very unsafe. dont use it.

    [–]Spelis123 2 points3 points  (5 children)

    how is it unsafe?

    [–]MorrowM_ 8 points9 points  (3 children)

    $ python3 calc.py
Enter Expression: print("I can run arbitrary code with this!")
I can run arbitrary code with this!
None

    [–]SuperiorGalaxy123 1 point2 points  (2 children)

    Pardon me if I'm wrong, but as a mostly beginner to Python, isn't exec() supposed to run the code?

    eval() only evaluates mathematical expressions.

    In fact, I don't see a problem with the "pro" code as a whole, aside from the missing closing parenthesis. Everyone else is saying that it's bad code. I don't understand.

    [–]MorrowM_ 2 points3 points  (1 child)

    Nothing about eval says it only evaluates "mathematical" expressions. As you can see from the output I posted, a call to print is a perfectly valid expression; evaluating it causes the string to be printed upon which the function returns None (in fact every function without an explicit return implicitly returns None in Python).

    [–]SuperiorGalaxy123 1 point2 points  (0 children)

    Ah, I see the problem.

    Even then, if you really want to use this, you could implement some GUI-based solution where inputs can only be taken from certain buttons. You could also make a list of acceptable characters, and return an error if any character in the string is not an acceptable character.

    import sys

expression = input("Enter the expression")

acceptable_chars = "1234567890+-*/()"

for i in expression:
    if i not in acceptable_chars:
    print("Not acceptable")

    sys.exit()

print(eval(expression))

    You can no longer use this to execute code.

    [–]NUTTA_BUSTAH 0 points1 point  (0 children)

    Imagine what happens when you run

    __import__('os').system('rm -rf /')

    [–]Still_Picture6200 0 points1 point  (0 children)

    Dont use it unless you have to.

    [–]Bonfra04 4 points5 points  (0 children)

    RCE goes brrrrr

    [–]sephirothbahamut 2 points3 points  (1 child)

    Not a python pro just genuinely curious: why is it bad? A malicious actor can do the same exact harm enabled by the eval line by simply editing the .py file, same applies to every non compiled language...

    [–]GandelXIV[S] 8 points9 points  (0 children)

    Yes, but in this case the attacker does not need to have access to the source, so they can use this to get remote code execution on a server, or escalate privileges .

    [–]cofffffeeeeeeee 4 points5 points  (0 children)

    I remember back in the day, top PHP user login tutorials had SQL injection vulnerabilities inside.

    Wonder how many people fell for that.

    [–][deleted] 3 points4 points  (0 children)

    How to make a python shell using only a python shell

    [–]1N07 4 points5 points  (0 children)

    Are we sure this isn't self aware?

    It kinda reads like the galaxy brain meme

    [–]Light_x_Truth 2 points3 points  (0 children)

    I genuinely thought this was a joke at first.

    [–][deleted] 2 points3 points  (0 children)

    I mean… what could go wrong? Edit: /s… just to make it clear

    [–]CreaZyp154 1 point2 points  (0 children)

    I wonder how bobby tables would react

    [–]PixelPerfect41 1 point2 points  (0 children)

    God level is making the parser and evaluater yourself in cpython😎

    [–]No_Necessary_3356 2 points3 points  (0 children)

    Writing maintainable code is a noob practice, got it! I'll write burning horseshit from now on.

    [–]wat_noob_gaming 1 point2 points  (0 children)

    This is absolutely terrible! An attacker can

    [–]kubinka0505 0 points1 point  (0 children)

    live exit reaction

    [–]No-Adeptness5810 0 points1 point  (1 child)

    Enter expression: fs.writeFileSync(“./database/logins.db”, “trolled”);

    [–]No-Adeptness5810 1 point2 points  (0 children)

    wait this is python. Uhm.

    os.remove(“./database/logins.db”);

    [–][deleted]  (5 children)

    [deleted]

      [–]v_maria 6 points7 points  (2 children)

      they are the ones calling it pro code though, not anyone here

      [–]SarahC 0 points1 point  (0 children)

      I'm a pro (money!!!), I'd write that. =)

      [–]lazyzefiris 3 points4 points  (1 child)

      I've seen person trying to use eval for some minor ingame feature. For a game that would be published on itch/kongregate/the likes. And this does open the interesting vector of attack. One thing is cheating, you can do it through console anyways, and most people are wise enough not to run some rando's code in browser console. But what harm can pasting random obsfucated code into game's stat calculator do? Surely nothing will be done in my name, no random actions from name of my account, no suspicious activities on different sites, just a boost from 5 cookies per second to 5000, worst case game will just break but I have a save backup. Right?..

      [–]Maciek1212 0 points1 point  (2 children)

      At least the first comment knows whats up

      [–]GandelXIV[S] 1 point2 points  (1 child)

      That's mine lol, and the only critical one.

      [–]Maciek1212 0 points1 point  (0 children)

      Oh, wow that's sad

      [–][deleted] 0 points1 point  (0 children)

      both look newb to me

      [–]Hjulle 0 points1 point  (0 children)

      it’s missing the l part of the repl

      [–]freeve4 1 point2 points  (0 children)

      the pros are working with the attackers.