Due to the fact that the “formula” accepts a vector of characters with R-functions enabled, it creates a security problem, as described in https://arxiv.org/pdf/1303.4808.pdf .
Situations like this can occur:
userformula <- "speed ~ dist + system('whoami')"
lm(userformula, data=cars)
Although I have intelligently tested any functions in my application that take a “formula” as a parameter, I'm curious:
1) Are there any other R-functions besides formulas to include R-functions as symbol vectors, as the Formula does? What other features should I keep track of with the same issue?
2) Is it possible to make a function accept a formula as a parameter? If so, how can I prevent this?
Edit: I limit this to basic R packages.
source
share