Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I give users the possibility to write scripts (in a secure way)?

Tags:

python

I currently have the problem where I need to write a function which receives a dictionary where all values are strings or dictionarys and outputs a string. The problem is the logic for creating this output string. I would like to let the user write the logic.

Now, of course, I could just ask the user to create a valid Python script with a function

def generate_string(input_dict):
    # your logic
    return "some_string"

The problem is that I don't want the users to be able to execute arbitrary code. Especially working with the file system (reading / writing / deleting files) should not be possible. There should also be a limit in the computation time / memory usage.

Is this possible?

Currently, I let them enter a format string. But this seems to be too limited as it misses if statements.

Example

This is just a minimal, abstract example:

def generate_string(input_dict):
    if input_dict['type'] == 1:
        return "I want my date in {d:%Y%m%d}".format(d=input_dict['date'])
    elif input_dict['type'] == 2:
        return "type is {}".format(input_dict['type'])
    return "some_string"

d = {'type': 1, 'date': datetime.date(2017, 1, 14)}
generate_string(d)
like image 841
Martin Thoma Avatar asked Oct 30 '22 03:10

Martin Thoma

1 Answers

Python is not an easy language to lock down. Since it has a powerful introspection api, it is hard, if not impossible to block all system calls.

The only secure approach I can think of is to run the scripts on a separate environment, such as a docker container or a vm dedicated to running the scripts.

There is also pypy which can be run in sandboxed mode, but it is still a prototype and it might need a bit more work before being completely usable.

On the python wiki, there is a page about sandboxing python https://wiki.python.org/moin/Asking%20for%20Help/How%20can%20I%20run%20an%20untrusted%20Python%20script%20safely%20%28i.e.%20Sandbox%29

PyPy sandboxing: http://pypy.org/features.html#sandboxing

Also, take a look at How can I sandbox Python in pure Python? which has an awesome answer to this same question.

like image 73
Martin Avatar answered Nov 15 '22 05:11

Martin
Sign in to Comment

Related questions

importError: DLL load failed(import h5py)
Best way to get joint probability from 2D numpy
How can I configure gunicorn to use a consistent error log format?
How to use correlation in Spark with Dataframes?
How to erase text from PDF using Python
Calling C# code from python using pythonnet
Selenium with Python: Stale Element Reference Exception
Python OrderDict sputtering as compared to dict()
ValueError: ordinal must be >= 1
Multiple AWS Lambda functions using the same libraries
De-mangling export functions in Python
Django SMTP Error: authentication failed: authentication failure
How to use Scrapy in Anaconda?
How to properly extend a pandas dataframe?
How to incorporate uncertainty of features into machine learning algorithms?
How to write Event hooks in locust for response times of Individual requests
How to store non-English string into a excel file, python3?
Inheritance: change signature of child methods
Extract Products/Prices/Categories/Specs from Amazon Inventory
Object has no attribute _state

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!