[Python-Dev] The pysandbox project is broken (original) (raw)

Victor Stinner victor.stinner at gmail.com
Wed Nov 13 09:28:41 CET 2013

2013/11/13 Glenn Linderman <v+python at g.nevcal.com>:

If it is an implementation issue, then perhaps a different implementation would help. Or perhaps a "safe compiler".

There is PyPy with its sandbox.

If it is a language design issue, then a different implementation wouldn't help, it would require a new language, or a restricted subset. I'm not sure whether some of the onerous sounding restrictions result from language or implementation issues; some of them certainly sounded like implementation issues.

A restricted subset, compiled by a validating compiler, might still be a useful language, even if the execution speed has to be reduced by a validating runtime. Perhaps exception handling for exceptions hit inside a sandbox need to stop at the sandbox boundary. That is, exceptions within the sandbox stay within the sandbox, and exceptions generated due to sandbox calls to the implementation need to stay outside the sandbox, and then sanitized and limited information passed back in to the sandbox. Perhaps a different/restricted set of builtins must be provided within the sandbox.

The problem is to draw a line between the trusted namespace and the untrusted namespace. Tracebacks are just one example, there are too many other examples. Just another example: from types.bases, you may reach all available types in Python, even "sensitive" types.

If you cannot draw a line because it is too complex, it probably means that it's simpler to consider that the whole Python process is untrusted. In this case, you have to put the sandbox outside Python, not inside.

The second problem is that if you modify the Python language and write a limited implementation of Python, it is no more the Python language. What is the purpose of your sandbox if you cannot use the full Python language and the stdlib?

It also depends on you use the sandbox. If it's just to evaluate basic mathematic expressions, it's easier to use Python with an external sandbox.

If you want to plug the sandbox "in your application", it's more complex because you have to give access to your sensitive data through a proxy, so the proxy must be carefully written.

Victor

More information about the Python-Dev mailing list