I have a python web application where I'd like to enable user-defined expressions that can be evaluated against a fixed set of variables in a secure manner. The expressions should support basic arithmetic and conditional logic, and ideally be simple enough for a non-programmer to use, perhaps something similar to Excel formulas. I'm aware of a few different libraries/approaches:
- python simpleeval library - Leverages python's
astto make a simpler/safer version ofeval - Using
astdirectly - wasmtime - A standalone WebAssembly runtime. Users could submit scripts that are compiled as WebAssembly and run in a secure sandboxed environment. This article by Shopify has a pretty good overview of the approach
My biggest priorities are protecting against any security vulnerabilities, and ease-of-use for non-technical users. Any suggestions/recommendations or lessons learned from implementing something similar? A related SO question (Best way to enable user to input formula without making a security hole?), recommends building your own parser, but that seems risky, and I'm sure I'd overlook something.
