Better handling of check expressions

[ryan-pratt]

This is a potentially breaking change if users were abusing the check() API.

Before, if you booted fresh COSMOS with the demo and wrote a script with check(EXAMPLE STATUS VALUE > 1), then the script would crash (even in disconnect mode) because that tlm value is nil/None, which can't be compared using < or >. This fixes that by making sure the eval can be called before calling it and logging an error more gracefully. I also added some other safeguards around the comparisons you can do.

Also fixed a couple bugs in extract.py and added unit tests based on the ruby ones.

I gave up removing eval() because the code paths just became too numerous to keep in my head and I was spending too much time on it; plus like @/ryanmelt mentioned in standup, this is in an executing script anyway. I'd like to remove those, but it's tech debt for another time imo.

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.22%. Comparing base (38803d7) to head (8e0cbc8).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
openc3/lib/openc3/script/api_shared.rb	71.42%	4 Missing ⚠️
openc3/lib/openc3/script/extract.rb	84.61%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3143      +/-   ##
==========================================
- Coverage   78.23%   78.22%   -0.01%     
==========================================
  Files         673      673              
  Lines       55239    55321      +82     
  Branches      728      728              
==========================================
+ Hits        43214    43275      +61     
- Misses      11947    11968      +21     
  Partials       78       78              

Flag	Coverage Δ
python	79.50% <ø> (+0.02%)	⬆️
ruby-api	82.97% <ø> (-0.17%)	⬇️
ruby-backend	81.36% <80.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate failed

Failed conditions
13 New issues
1 Security Hotspot
9.1% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[aikido-pr-checks]

Remote Code Execution possible via eval()-type functions - critical severity
Using functions such as eval can lead to users being able to run their own code on your servers.

Show fix

Remediation: If possible, avoid using these functions altogether. If not, use a list of allowed inputs that can feed into these functions.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Unsafe eval usage can lead to remote code execution - critical severity
Using eval on expressions based on user input can execute arbitrary code.

Show fix

Remediation: Consider using ast.literal_eval as an alternative. If that is not possible, replace the usage with a safer alternative that strictly parses the expected input format.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}

[aikido-pr-checks]

Unsafe eval usage can lead to remote code execution - critical severity
Using eval on expressions based on user input can execute arbitrary code.

Show fix

Remediation: Consider using ast.literal_eval as an alternative. If that is not possible, replace the usage with a safer alternative that strictly parses the expected input format.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}