基础入门_Python-内建函数.运维开发中eval内建函数的最佳实践?

简单介绍:

说明: 在指定命名空间中计算参数字符串的有效表达式,并返回一个对象,

Helponbuilt-infunctionevalinmodule__builtin__:eval(...)eval(source[,globals[,locals]])->valueEvaluatethesourceinthecontextofglobalsandlocals.ThesourcemaybeastringrepresentingaPythonexpressionoracodeobjectasreturnedbycompile().Theglobalsmustbeadictionaryandlocalscanbeanymapping,defaultingtothecurrentglobalsandlocals.Ifonlyglobalsisgiven,localsdefaultstoit.

技巧: eval很危险,因为它默认在当前命名空间中解析语句表达式,但它支持设定命名空间防止当前命名空间被污染,可以有效防止注入

最佳实践:

#!/usr/bin/envpython#-*-coding:utf-8-*-"""##Authors:limanman#OsChina:http://xmdevops./#Purpose:#"""#说明:兼容绝对导入from__future__importabsolute_import#说明:导入公共模块importtimeimportoperator#说明:导入其它模块from.alarmimportalarm_templatefrom.alarm.apiimportweixin_notifydefavg(alarmtmplist,redis_key,trigg_key,trigg_val,errors):scope={}realdata_lst=[](service_name,converts_val,during_time,_,operator_val,compare_time,warnning_val,critical_val)=trigg_valconvertsfunc=eval(converts_val,scope)warnning_val=convertsfunc(warnning_val)critical_val=convertsfunc(critical_val)datacate,host,plugin=redis_key.split('::')operatorfunc=getattr(operator,operator_val)forcur_iteminalarmtmplist:cur_item=convertsfunc(cur_item['data']['target'])realdata_lst.append(cur_item)avg_realdata=sum(realdata_lst)/len(realdata_lst)warnning_res=operatorfunc(avg_realdata,warnning_val)critical_res=operatorfunc(avg_realdata,critical_val)msgtime=time.strftime('%H:%M:%S',time.localtime())formats='PLUGIN(%s)DURINGTIME(%s)COMPARETIMES(%s)AVG(%s)OPERATION(%s)TARGET(%s)'ifcritical_res:message=formats%(plugin,during_time,compare_time,avg_realdata,operator_val,critical_val)res_msg=alarm_template%(host,'critical',errors,msgtime,message)weixin_notify(res_msg)returnifwarnning_res:message=formats%(plugin,during_time,compare_time,avg_realdata,operator_val,warnning_val)res_msg=alarm_template%(host,'warnning',errors,msgtime,message)weixin_notify(res_msg)return

说明: 此文件本是预警系统阀值处理接口文件,传递过来的参数converts_val可能为str/int/float等类型名称,都属于内置函数名,为了不污染当前线程运行环境同名内置函数,定义一个空scope,搜索时就在scope的__builtins__中调用纯净的str/int/float等内置函数,如果不定义,线程下次运行时可能就找不到str/int/float等内置函数.