[IPython-dev] Registering Input Transformers that can Reject Input

[ssanderson]

Hi Thomas,

Glad to hear that it sounds like this makes sense for the main line.  

We're well aware of the difficulties of securely executing untrusted Python
code; in a lot of ways solving that problem well is more important to our
business than any of the financial simulation tools that are ostensibly our
product!  As you note, there are all sorts of ways to dynamically get access
to dangerous things (vars, eval, exec, and getattr are the ones we see the
most, but we also see breakout attempts using more exotic things like the
func_globals attribute on function objects).  We do a fair amount of runtime
sandboxing in addition to the static checks, but static
analysis/transformation has proven to be one of the best tools available to
us.

As for the expected semantics, our current infrastructure builds a list of
violations on a NodeTransformer and just stores them to be converted into a
custom SecurityViolation exception elsewhere, but looking at
InteractiveShell.transform_ast I think it makes more sense to raise an
exception than to have the shell check something like a `failed` attribute
on the transformer.  

The current behavior seems to be that any NodeTransformer that raises is
considered broken and removed from the shell, so there would need to be a
specific exception class used to signal "this code is broken, not me!"

If you think it makes sense to do so, I'd be happy to try and put together a
PR for this.

-Scott



--
View this message in context: http://python.6.x6.nabble.com/Registering-Input-Transformers-that-can-Reject-Input-tp5070376p5070401.html
Sent from the IPython - Development mailing list archive at Nabble.com.