I currently have the problem where I need to write a function which receives a dictionary where all values are strings or dictionarys and outputs a string. The problem is the logic for creating this output string. I would like to let the user write the logic.
Now, of course, I could just ask the user to create a valid Python script with a function
def generate_string(input_dict):
# your logic
return "some_string"
The problem is that I don't want the users to be able to execute arbitrary code. Especially working with the file system (reading / writing / deleting files) should not be possible. There should also be a limit in the computation time / memory usage.
Is this possible?
Currently, I let them enter a format string. But this seems to be too limited as it misses if
statements.
This is just a minimal, abstract example:
def generate_string(input_dict):
if input_dict['type'] == 1:
return "I want my date in {d:%Y%m%d}".format(d=input_dict['date'])
elif input_dict['type'] == 2:
return "type is {}".format(input_dict['type'])
return "some_string"
d = {'type': 1, 'date': datetime.date(2017, 1, 14)}
generate_string(d)
Python is not an easy language to lock down. Since it has a powerful introspection api, it is hard, if not impossible to block all system calls.
The only secure approach I can think of is to run the scripts on a separate environment, such as a docker container or a vm dedicated to running the scripts.
There is also pypy which can be run in sandboxed mode, but it is still a prototype and it might need a bit more work before being completely usable.
On the python wiki, there is a page about sandboxing python https://wiki.python.org/moin/Asking%20for%20Help/How%20can%20I%20run%20an%20untrusted%20Python%20script%20safely%20%28i.e.%20Sandbox%29
PyPy sandboxing: http://pypy.org/features.html#sandboxing
Also, take a look at How can I sandbox Python in pure Python? which has an awesome answer to this same question.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With