[Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited) (original) (raw)
Chris Angelico rosuav at gmail.com
Mon Apr 11 13:02:54 EDT 2016
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Apr 12, 2016 at 2:53 AM, Jon Ribbens <jon+python-dev at unequivocal.co.uk> wrote:
On Mon, Apr 11, 2016 at 04:04:21PM +0100, Paul Moore wrote:
However, it's not at all clear (to me at least) what you are trying to do. I'm trying to see to what extent we can use ast node inspection to remedy the failures of prior attempts at Python sandboxing. Is there any extent to which Python can be sandboxed, or is even trying to use it as a calculator function unfixably insecure?
It all depends on how much functionality you want. If all you need is a numeric expression evaluator, that's not too hard - disallow all forms of attribute access, etc, and just have simple numbers and operators. That's pretty useful, and safe. Alternatively, go completely the other way. Let people run whatever code they like... in an environment where it can't hurt anyone else. That's what PyPyJS does - don't bother looking for security holes in it, because all you're doing is attacking your own computer.
The hard part comes when you want to allow some, but not all, interaction with the outside world. When I was looking into this kind of sandboxing (although it was Python-in-C++ rather than Python-in-Python), it was to allow untrusted users to control certain parts of server-side execution. The result was dismal, because it's fundamentally impossible to allow the level of control I wanted without allowing a level of control I didn't want.
So before you can ask whether Python is unfixably insecure, you first have to decide what the minimum level of functionality is that you'll accept. Do you need basic arithmetic plus trignometric functions? Easy enough - disallow all attribute access and imports, and populate builtins with "from math import *". Need them to be able to assign variables and define functions? That's gonna be harder.
ChrisA
- Previous message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Next message (by thread): [Python-Dev] Challenge: Please break this! (a.k.a restricted mode revisited)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]