Skip to content

understanding the zcx python evaluation context

Whenever expressions are evaluated, or the python command is used, zcx will evaluate the code in a limited Python context.

why?

This restriction is in place to safeguard zcx users against bad actors, who might distribute 'helpful' zcx configuration files that actually contain malicious code. Using this attack vector, an attacker could cause a lot of damage, like wiping you entire filesystem, or reading your sensitive files.

the solution

All user-supplied Python expressions are interpreted with the asteval library. asteval interprets your expressions with a limited context, which basically means that the most dangerous Python features are not available in this context. In particular, importing of modules is not allowed, and access to "private" attributes is prevented.

additional restrictions

  • by default, asteval allows access to Python's open() method in read-only mode. This has been disallowed in zcx.