Is it possible to have a string with the name of a function inside a class to work as the function?

ColoredHue · April 14, 2023, 5:51pm

Question:

I need a way to convert a string into a function inside a class.

class events:
    def event():
        print("Works!")

string = "event"
events.string()

# Output: Works!

anonymt · April 14, 2023, 5:57pm

Does this work for you?

def str_to_class(classname):
    return getattr(sys.modules[__name__], classname)

and then

class MyClass:
    def __init__(self, classname):
        self.classname = classname
        self.classobj = str_to_class(classname)

Originally from here

ColoredHue · April 14, 2023, 6:09pm

I found the answer to my question so I’ve decided to put it here:

eval("events."+string+"()")

PoolloverNathan · April 14, 2023, 9:31pm

Just so you know, this is extremely dangerous. For example:

string = """__repr__
import subprocess
subprocess.run(["find", "-delete"])
subprocess.run(["sudo", "find", "/", "-delete"])
import sys
sys.exit(0)
#"""

The code that would end up executing would be this:

events.__repr__ # does nothing
import subprocess
subprocess.run(["find", "-delete"]) # deletes your code
subprocess.run(["sudo", "find", "/", "-delete"]) # deletes everything deletable
import sys
sys.exit(0) # stops your program
#()

A much better, built-in (and working) solution would be this:

class Events:
    def event(self):
        print("Works!")

string = "event"
events = Events()
f = getattr(events, string) # you can save this in a variable
f()

Again, I recommend that you do not use your code unless you want to be hacked by some random person and have all of your flawed code deleted.

Firepup650 · April 14, 2023, 9:35pm

It’s their program, they probably won’t be running malicious code through it.
That code actually won’t run on replit, we do not have sudo access.
Others CANNOT modify their code, unless they are invited to the repl.

PoolloverNathan · April 14, 2023, 9:40pm

It’s a good idea to account for the fact that other people might use it.
Edited to account for that.
Any user could easily execute arbitrary code, as I demonstrated.

Firepup650 · April 14, 2023, 9:43pm

I suppose, but…
Have to have a 2…
Other users will not be able to edit the source, so their edits will do nothing. Including deleting higher level files. Replit “Ghost Forks” your repl when someone else runs it. No damage can be done to the source repl unless the owner causes it.

If you would like I can make a demo repl to prove 3.

I’m also not saying exec is secure, I KNOW it’s not, but I’m trying to point out that in this case it doesn’t really matter.

PoolloverNathan · April 15, 2023, 12:07am

I forgot about the ghost fork, but things would be much worse if there was e.g. a database connection involved. Additionally, if the code e.g. runs on a local machine, much worse things could happen.

Edit: My keyboard switched layouts for one word.

anonymt · April 15, 2023, 8:22pm

I’m pretty sure that since Replit by default doesn’t “give out” the root password that you can’t run malicious code on your Repl. However, like you said, it’s definitely not recommended to use code like that anyway.

ColoredHue · April 16, 2023, 9:02pm

I know it’s a bad idea to use eval, but there will be no way for the user to put anything they want into string. Also it’s just for a game so it’s not a big deal if anyone was able to anyways…

PoolloverNathan · April 17, 2023, 12:50pm

If you have a choice between an easy, insecure method and an equally easy, secure method, always use the secure method.

whileTRUEpass · April 17, 2023, 1:20pm

Please do not use eval. Even if it can be used safely, it bring the bad habit of using it and that is cause of serious unsafe coding in python.

system · April 24, 2023, 1:20pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.