#!/usr/bin/python3
# -*- coding: utf-8 -*-

import os
import subprocess

# %% Evil eval, exec, compile
"""
NOTE: please don't use these:
There is virtually always a better way.

You can use eval() or exec() to dynamically execute Python code.

eval(str)
Evaluates a string and returns an object.
eval() can only execute or evaluate expressions.

exec(str)
exec() can execute any piece of Python code.

The compile built-in can be used to speed up repeated invocations of the same code with exec or eval,
by compiling the source into a code object beforehand.
"""

help(eval)
help(exec)

yourcommand = "print('hey')"
eval(yourcommand)
exec(yourcommand)

# What do we let the user do?
eval("print(os.system('ls'))")
exec(yourcommand + "; x='hacked'; print('you have been ' + x)")

"""
Even worse: 
You should probably NEVER eval/exec/compile/os.system/subprocess.call on user inputted data:
"""
# What if we insert os.system("cat /etc/passwd")
# What if we insert os.system("rm -rf *")
# What can the user break with arbitrary command capability??
user_command = input()
eval(user_command)

# It's not just eval that is vulnerable to this:


def transcode_file():
    filename = input("Please provide the path for the file to transcode: ")
    command = 'ffmpeg -i "{source}" output_file.mpg'.format(source=filename)
    # a bad idea:
    subprocess.call(command, shell=True)

# Also this can execute arbitrary python code:
import pickle
pickle.load("whatever.pkl")