On Tue, Jun 10, 2014 at 09:55:40AM +0200, Mark Overmeer wrote: > * Andrew Beverley (a...@andybev.com) [140609 10:57]: > > I'd like to take a condition specified by a user and use it to perform a > > set of tests on a data set. Is there a module to do this? > > What about PPI: parse the string as Perl, then walk throught the > result tree to check for unsupported nodes. PPI provides a complicated way to parse as much of Perl as possible. It has 68 bugs currently filed against it. I wouldn't be surprised if a malicious user could generate simple code that would cause PPI to consume lots of resources.
Given that Andy wants to process untrusted input, this seems like a bad choice. The earlier suggestions on this thread of using a specialised mini-language or constructing one using a parser seem like better solutions than generalised approaches like using PPI or Docker containers. Tom