One Matlab Command You Should Never Use - Why The Eval Command Is Awful [Matlab Rants]

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to another coding like mat in MATLAB video today I'm going to do something a little different I want to talk about the eval command this command is responsible for a hell of a lot of pain in my life and I think it's important that we have a little chat about why this thing is the devil so let's start out what is the eval command I know a third of my audience right now is wondering exactly what is it well simply put it is a command in MATLAB which lets you evaluate an expression as if it was MATLAB so in short it's kind of godmode for matlab you can use it to do anything now that sounds great everybody likes powerful commands but unfortunately with great power comes great responsibility and most people are not that responsible so what you really want to ask yourself is this unbridled power if a co-worker or someone on the internet who wrote a piece of code hands you some MATLAB software can you trust that they have used this particular power gracefully can you trust that they aren't playing with what is kind of metaphorical dynamite without proper training so let's look into exactly why this is a scary thing to demonstrate this I have created a really simple little app here so this app is has kind of two pieces of functionality that you might use the eval command for I know there are other ways that people use the eval command but I don't want to get into every single thing just want to explain why in particular I think it's a scary thing so I'm not going to deal with things like how it's not maintainable I'm not going to deal with how the code is bug prone and really hard to debug if you've ever seen a vowel code or the eval function in badly-written code you know the nightmare I'm talking about no today we're just going to talk about why the eval function is insecure so this is a really simple little app what it does is I throw in a definition for a function Y so like y equals x and then I can put in some options for plotting this is like a totally reasonable way to do something so for example let's make a function y equals x squared and then I'm going to put in a title and some labels so super simple app and I think people who have made sort of industrial apps recognize that this is a really useful thing to do or people who have for example done their thesis in MATLAB boy wouldn't it be nice to be able to retitle all of your figures or edit the legends after the fact or you know maybe I want to be able to add in an instruction to change a font color that sort of thing is really hard to do and more complicated pieces of software if it has to be done at dozens of places but here it's automatic so this is like the lure of the avowal command so let's just quickly look at how I did this just so we know what we're getting into so pretty simple little function all it does is when you push the plot button it takes a predefined value for X and now it's going to try and execute this block here so we've got a first a single eval command for the top box which just executes y equals and then whatever is inside that box and then a second it plots the figure and then it will go line by line through the text box executing anything you want inside that so basically the top box is kind of in a little bit of a walled garden whereas the bottom box is just basically you can do anything you want in there so I think pretty much everybody knows this bottom box is terrible idea so for example nothing stops me from just going ahead and executing whatever MATLAB code I want in there you can see I'm displaying the character a right now so like I said the eval command is basically godmode for matlab and the problem is is matlab runs on your computer which means you now have shell access to this computer so I wrote this code and I'm not gonna do something stupid to my computer but I can't guarantee that I always have full control over the code I write my code often runs on other machines it runs in shared environments and occasionally it'll run on a dedicated system for controlling Hardware so I really don't want this sort of thing just open to the world so what could you do with it well one of the things that you can do in MATLAB is the system command so for example if you look in the main command window I just ran the dir command so I'm running a Windows system and I'm able to view what's in my local directory right now and you can see there's some MATLAB files I've got a picture of Lake Louise in there and some dot M files from a tutorial I was working on so you know that's great if I'm going to edit something like this but the the problem is I can do anything right like for example let's just go ahead and uh we've lost my window bring it back ok let's go ahead and let's delete that file can I do that so I deleted it I think I hope well I don't hope I like that photo but anyway let's see what happens yeah whoo it's gone I just deleted a file and I kind of like that file so you know I'm not gonna go crazy it's my own system but you can basically Trash the system from this point and the scary thing here is in principle I can do anything so while I am constrained by the controls Windows has put on what a user can do how many of you right now in my audience are running this in administrator mode I bet the answer is a pretty large portion and even if you're not there the things called privilege escalation exploits where you just need to be able to run a piece of code and it will get you administrator privileges at which point you own the system you can do anything you want to it and you might say well this is running on a standalone system but it's not that hard to open a browser and send it to a predetermined address with an instruction to download a file so once you have shell access and the systems on the internet you can do basically whatever you want so my point is eval is a pretty scary little system so okay I think everybody agrees that this text box where we just use the avowal command was a pretty awful idea but I want to make a point actually about walled gardens as well so this top box you might think is a lot safer some of you I think in the audience right now are probably saying that's BS and we're getting to it so in other languages for example in SQL there's what's called a SQL code injection exploit and the idea is basically that certain characters allow you to exit the prompt and do other commands to the database you're working in so for example we can do the same thing here right it's going to try and execute as if it was code whatever goes in this string so we have a string y equals and then whatever goes in this box and then a semicolon so y equals x semicolon is a legitimate string so is for example throwing in a semicolon here and then we're going to put in a beep command and you just heard it beep right the important thing is I need to terminate the last statement before I start a new one so just to be clear I can throw in again the system command and we can view my directory again so I can do basically anything I want here at this point so I I think the point I want to make is yes eval is an incredibly powerful and incredibly useful command in principle if you are extremely careful with this command you can probably make it safe but did you I don't think I've ever seen someone actually properly do the things they need to clean up the input to the eval command so that it wasn't a security hole so that sort of thing might include making sure for example in this top box that they're not directly calling a separate function making sure that they're not actually injecting semicolons to finish the command off making sure that they don't have quotes in there in order to access other functionality and the truth is is for many things there's better options so there are functions which rather than running any command will running cific function with arguments you specify so you can do substantially more safe things here but even if you can't if you're writing software that's ever going to run on someone else's machine or because I hear this excuse a lot if you're writing software which hypothetically could run on someone else's machine please please please do not use the eval command it is just not worth the security holes you're injecting on to any system it's ever going to run on so let's finish off this video right there I think if I remember correctly there is a shutdown I want to say now command is this a thing I can run i I think this is a good way to end the stream off so I will see you guys next time and hopefully I get this on the first try it might be /s I think it has to be /f I think
Info
Channel: CodingLikeMad
Views: 3,544
Rating: 4.8139534 out of 5
Keywords: matlab, eval, matlab eval function, matlab eval, matlab function, matlab tutorial, tutorial, coding standards
Id: XD2WcsPCbpg
Channel Id: undefined
Length: 11min 55sec (715 seconds)
Published: Wed Oct 10 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.