Fix some uses of eval'ed code using string interpolation (#939)

chrisrink10 · web-flow · commit e7a027f04a53 · 2024-08-02T08:35:34.000-04:00
Fixes #938
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  * Fix a bug where Basilisp vectors were not callable (#932)
  * Fix a bug where `basilisp.lang.seq.LazySeq` instances were not thread-safe (#934)
  * Fix a bug where Seqs wrapping Python Iterable instances were not thread-safe (#936)
+ * Fix several bugs where code was being executed from a string with interpolated variables, which could've allowed for code (#938)
 
 ### Other
  * Add several sections to Concepts documentation module (#666)
diff --git a/src/basilisp/cli.py b/src/basilisp/cli.py
@@ -10,16 +10,21 @@
 
 from basilisp import main as basilisp
 from basilisp.lang import compiler as compiler
+from basilisp.lang import keyword as kw
+from basilisp.lang import list as llist
+from basilisp.lang import map as lmap
 from basilisp.lang import reader as reader
 from basilisp.lang import runtime as runtime
 from basilisp.lang import symbol as sym
 from basilisp.lang import vector as vec
 from basilisp.lang.exception import print_exception
+from basilisp.lang.util import munge
 from basilisp.prompt import get_prompter
 
 CLI_INPUT_FILE_PATH = "<CLI Input>"
 REPL_INPUT_FILE_PATH = "<REPL Input>"
 REPL_NS = "basilisp.repl"
+NREPL_SERVER_NS = "basilisp.contrib.nrepl-server"
 STDIN_INPUT_FILE_PATH = "<stdin>"
 STDIN_FILE_NAME = "-"
 
@@ -49,10 +54,8 @@ def eval_str(s: str, ctx: compiler.CompilerContext, ns: runtime.Namespace, eof:
 
 def eval_file(filename: str, ctx: compiler.CompilerContext, ns: runtime.Namespace):
     """Evaluate a file with the given name into a Python module AST node."""
-    if os.path.exists(filename):
-        return eval_str(
-            f'(load-file "{Path(filename).as_posix()}")', ctx, ns, eof=object()
-        )
+    if (path := Path(filename)).exists():
+        return compiler.load_file(path, ctx, ns)
     else:
         raise FileNotFoundError(f"Error: The file {filename} does not exist.")
 
@@ -62,14 +65,23 @@ def eval_namespace(
 ):
     """Evaluate a file with the given name into a Python module AST node."""
     path = "/" + "/".join(namespace.split("."))
-    return eval_str(f'(load "{path}")', ctx, ns, eof=object())
+    return compiler.load(path, ctx, ns)
 
 
 def bootstrap_repl(ctx: compiler.CompilerContext, which_ns: str) -> types.ModuleType:
     """Bootstrap the REPL with a few useful vars and returned the bootstrapped
     module so it's functions can be used by the REPL command."""
-    ns = runtime.Namespace.get_or_create(sym.symbol(which_ns))
-    eval_str(f"(ns {sym.symbol(which_ns)} (:use basilisp.repl))", ctx, ns, object())
+    which_ns_sym = sym.symbol(which_ns)
+    ns = runtime.Namespace.get_or_create(which_ns_sym)
+    compiler.compile_and_exec_form(
+        llist.l(
+            sym.symbol("ns", ns=runtime.CORE_NS),
+            which_ns_sym,
+            llist.l(kw.keyword("use"), sym.symbol(REPL_NS)),
+        ),
+        ctx,
+        ns,
+    )
     return importlib.import_module(REPL_NS)
 
 
@@ -345,22 +357,15 @@ def nrepl_server(
 ) -> None:
     opts = compiler.compiler_opts()
     basilisp.init(opts)
-
-    ctx = compiler.CompilerContext(filename=REPL_INPUT_FILE_PATH, opts=opts)
-    eof = object()
-
-    ns = runtime.Namespace.get_or_create(runtime.CORE_NS_SYM)
-    host = runtime.lrepr(args.host)
-    port = args.port
-    port_filepath = runtime.lrepr(args.port_filepath)
-    eval_str(
-        (
-            "(require '[basilisp.contrib.nrepl-server :as nr])"
-            f"(nr/start-server! {{:host {host} :port {port} :nrepl-port-file {port_filepath}}})"
-        ),
-        ctx,
-        ns,
-        eof,
+    nrepl_server_mod = importlib.import_module(munge(NREPL_SERVER_NS))
+    nrepl_server_mod.start_server__BANG__(
+        lmap.map(
+            {
+                kw.keyword("host"): args.host,
+                kw.keyword("port"): args.port,
+                kw.keyword("nrepl-port-file"): args.port_filepath,
+            }
+        )
     )
 
 
diff --git a/src/basilisp/contrib/nrepl_server.lpy b/src/basilisp/contrib/nrepl_server.lpy
@@ -66,42 +66,40 @@
 (declare ops)
 
 (defn- handle-describe [request send-fn]
-  (send-fn request
-           {"versions" {"basilisp" (let [version basilisp.lang.runtime/BASILISP-VERSION-STRING]
-                                     (assoc (zipmap ["major" "minor" "incremental"]
-                                                    version)
-                                            "version-string" (str/join "." version)))
-                        "python" (let [version (get (.split sys/version " ") 0)]
-                                   (assoc (zipmap ["major" "minor" "incremental"]
-                                                  (py->lisp (.split version ".")))
-                                          "version-string" (py->lisp sys/version)))}
-            "ops" (zipmap (map name (keys ops)) (repeat {}))
-            "status" ["done"]}))
+  (let [basilisp-version   (-> (zipmap ["major" "minor" "incremental"] *basilisp-version*)
+                               (assoc "version-string" (str/join "." *basilisp-version*)))
+        python-version     (-> (zipmap ["major" "minor" "incremental"] *python-version*)
+                               (assoc "version-string" (str/join "." *python-version*)))]
+    (send-fn request
+             {"versions" {"basilisp" basilisp-version
+                          "python"   python-version}
+              "ops"      (zipmap (map name (keys ops)) (repeat {}))
+              "status"   ["done"]})))
 
 (defn- format-value [_nrepl-pprint _pprint-options value]
   (pr-str value))
 
 (defn- send-value [request send-fn v]
-  (let [{:keys [client*]}  request
-        {:keys [*1 *2]} @client*
-        [v opts]           v
-        ns                 (:ns opts)]
+  (let [{:keys [client*]} request
+        {:keys [*1 *2]}   @client*
+        [v opts]          v
+        ns                (:ns opts)]
     (swap! client* assoc :*1 v :*2 *1 :*3 *2)
     (let [v (format-value (:nrepl.middleware.print/print request)
                           (:nrepl.middleware.print/options request)
                           v)]
       (send-fn request {"value" (str v)
-                        "ns" (str ns)}))))
+                        "ns"    (str ns)}))))
 
 (defn- handle-error [send-fn request e]
   (let [{:keys [client* ns]} request
         data                 (ex-data e)
         message              (or (:message data) (str e))]
     (swap! client* assoc :*e e)
     (send-fn request {"err" (str message)})
-    (send-fn request {"ex" (traceback/format-exc)
+    (send-fn request {"ex"     (traceback/format-exc)
                       "status" ["eval-error"]
-                      "ns" ns})))
+                      "ns"     ns})))
 
 (defn- do-handle-eval
   "Evaluate the ``request`` ``code`` of ``file`` in the ``ns`` namespace according
@@ -125,9 +123,12 @@
         eval-ns                       (if ns
                                         (create-ns (symbol ns))
                                         eval-ns)]
-    (binding [*ns* eval-ns
+    (binding [*ns*  eval-ns
               *out* out-stream
-              *1 *1 *2 *2 *3 *3 *e *e]
+              *1    *1
+              *2    *2
+              *3    *3
+              *e    *e]
       (try
         (let [results (for [form (seq (basilisp.lang.reader/read reader
                                                                  *resolver*
@@ -142,7 +143,7 @@
           (handle-error send-fn (assoc request :ns (str *ns*)) e))
         (finally
           (swap! client* assoc :eval-ns *ns*)
-          (send-fn request {"ns" (str *ns*)
+          (send-fn request {"ns"     (str *ns*)
                             "status" ["done"]}))))))
 
 (defn- handle-eval [request send-fn]
@@ -179,9 +180,9 @@
                                            (first (seq (basilisp.lang.reader/read reader
                                                                                   *resolver*
                                                                                   *data-readers*))))}
-             (catch python/Exception e
-               (info :symbol-identify-reader-error :input symbol-str :exception e)
-               {:error (str e)}))]
+                                  (catch python/Exception e
+                                    (info :symbol-identify-reader-error :input symbol-str :exception e)
+                                    {:error (str e)}))]
 
     (cond
       error
@@ -201,12 +202,9 @@
                                      (catch python/Exception e
                                        {:error (str e)}))]
         (cond
-          var
-          [:var var]
-          error
-          [:error error]
-          :else
-          [:other form])))))
+          var   [:var var]
+          error [:error error]
+          :else [:other form])))))
 
 (defn- forms-join [forms]
   (->> (map pr-str forms)
@@ -221,36 +219,40 @@
   (let [mapping-type      (-> request :op)
         {:keys [eval-ns]} @client*]
     (try
-      (let [lookup-ns      (if ns
-                             (create-ns (symbol ns))
-                             eval-ns)
-            sym-str        (or (:sym request) ;; cider
-                               (:symbol request) ;; calva
-                               )
+      (let [lookup-ns (if ns
+                        (create-ns (symbol ns))
+                        eval-ns)
+            sym-str   (or (:sym request) ;; cider
+                          (:symbol request) ;; calva
+                          )
+
             [tp var-maybe] (symbol-identify lookup-ns sym-str)
             var-meta       (when (= tp :var) (meta var-maybe))
+
             {:keys [arglists doc file ns line] symname :name} var-meta
-            ref            (when (= tp :var) (var-get var-maybe))
-            response       (when symname (case mapping-type
-                                           :eldoc (cond->
-                                                      {"eldoc" (mapv #(mapv str %) arglists)
-                                                       "ns" (str ns)
-                                                       "type"  (if (fn? ref)
-                                                                 "function"
-                                                                 "variable")
-                                                       "name" (str symname)
-                                                       "status" ["done"]}
-                                                    doc (assoc "docstring" doc))
-                                           :info {"doc" doc
-                                                  "ns" (str ns)
-                                                  "name" (str symname)
-                                                  "file" file
-                                                  "line" line
-                                                  "arglists-str" (forms-join arglists)
-                                                  "status" ["done"]}))
-            status (if (and (nil? symname) (= mapping-type :eldoc) )
-                     ["done" "no-eldoc"]
-                     ["done"])]
+
+            ref      (when (= tp :var) (var-get var-maybe))
+            response (when symname
+                       (case mapping-type
+                         :eldoc (cond->
+                                    {"eldoc"  (mapv #(mapv str %) arglists)
+                                     "ns"     (str ns)
+                                     "type"   (if (fn? ref)
+                                                "function"
+                                                "variable")
+                                     "name"   (str symname)
+                                     "status" ["done"]}
+                                  doc (assoc "docstring" doc))
+                         :info  {"doc"          doc
+                                 "ns"           (str ns)
+                                 "name"         (str symname)
+                                 "file"         file
+                                 "line"         line
+                                 "arglists-str" (forms-join arglists)
+                                 "status"       ["done"]}))
+            status   (if (and (nil? symname) (= mapping-type :eldoc) )
+                       ["done" "no-eldoc"]
+                       ["done"])]
         (debug :lookup :sym sym-str :doc doc :args arglists)
         (send-fn request (assoc response :status status)))
       (catch python/Exception e
@@ -308,7 +310,8 @@
                       "status" ["done"]})))
 
 (def ops
-  "A list of operations supported by the nREPL server."
+  "A map of operations supported by the nREPL server (as keywords) to function
+  handlers for those operations."
   {:eval      handle-eval
    :describe  handle-describe
    :info      handle-lookup
@@ -353,22 +356,26 @@
 
   - ``:recv-buffer-size`` The buffer size to using for incoming nREPL messages."
   (let [{:keys [recv-buffer-size]
-         :or {recv-buffer-size 1024}} opts
-        socket                        (.-request tcp-req-handler)
-        handler                       (make-request-handler opts)
-        response-handler              (make-reponse-handler socket)
-        pending                       (atom nil)
-        zero-bytes                    #b ""
-        client-info                   (py->lisp (.getsockname socket))
-        client*                       (atom {:*1 nil :*2 nil ;; keeps track of the latest
-                                             :*3 nil :*e nil ;; evaluation results
-                                             :eval-ns nil ;; the last eval ns
-                                             })]
+         :or   {recv-buffer-size 1024}} opts
+        socket                          (.-request tcp-req-handler)
+        handler                         (make-request-handler opts)
+        response-handler                (make-reponse-handler socket)
+        pending                         (atom nil)
+        zero-bytes                      #b ""
+        client-info                     (py->lisp (.getsockname socket))
+        client*                         (atom {;; keeps track of latest evaluation results
+                                               :*1      nil
+                                               :*2      nil
+                                               :*3      nil
+                                               :*e      nil
+                                               ;; the last eval ns
+                                               :eval-ns nil
+                                               })]
     (try
       (info "Connection accepted" :info client-info)
       ;; Need to load the `clojure.core` alias because cider uses it
       ;; to test for availability of features.
-      (eval (read-string "(ns user (:require clojure.core))"))
+      (eval '(ns user (:require clojure.core)))
       (swap! client* assoc :eval-ns *ns*)
       (loop [data (.recv socket recv-buffer-size)]
         (if (= data zero-bytes)
@@ -380,7 +387,7 @@
                                            b)
                                          data)
                 [requests unprocessed] (bc/decode-all data {:keywordize-keys true
-                                                            :string-fn #(.decode % "utf-8")})]
+                                                            :string-fn       #(.decode % "utf-8")})]
             (debug :requests requests)
             (when (not (str/blank? unprocessed))
               (reset! pending unprocessed))
@@ -423,7 +430,8 @@
      The session UUIDs are ignored and only created to satisfy the initial clone op."
   [opts]
   (let [{:keys [host port] :or {host "127.0.0.1" port 0}} opts
-        handler (python/type (name (gensym "nREPLTCPHandler")) (python/tuple [socketserver/StreamRequestHandler])
+        handler (python/type (name (gensym "nREPLTCPHandler"))
+                             #py (socketserver/StreamRequestHandler)
                              #py {"handle" #(on-connect % opts)})]
     (socketserver/ThreadingTCPServer (python/tuple [host port]) handler)))
 
diff --git a/src/basilisp/importer.py b/src/basilisp/importer.py
@@ -265,16 +265,9 @@ def get_code(self, fullname: str) -> Optional[types.CodeType]:
             # The target namespace is free to interpret
             code: List[types.CodeType] = []
             path = "/" + "/".join(fullname.split("."))
-            forms = cast(
-                List[ReaderForm],
-                list(
-                    reader.read_str(f'(load "{path}")', resolver=runtime.resolve_alias)
-                ),
-            )
-            assert len(forms) == 1
             try:
-                compiler.compile_and_exec_form(
-                    forms[0],
+                compiler.load(
+                    path,
                     compiler.CompilerContext(
                         filename="<Basilisp Namespace Executor>",
                         opts=runtime.get_compiler_opts(),
diff --git a/src/basilisp/lang/compiler/__init__.py b/src/basilisp/lang/compiler/__init__.py
