[issue43438] [doc] sys.addaudithook() documentation should be more explicit on its limitations
STINNER Victor
report at bugs.python.org
Mon Mar 8 15:26:14 EST 2021
New submission from STINNER Victor <vstinner at python.org>:
Recently, the PEP 578 audit hooks was used to build a Capture The Flag (CTF) security challenge, AntCTF x D^3CTF: https://d3ctf.io/
Multiple issues have been reported to the Python Security Response Team (PSRT) from this challenge. It seems like there was a misunderstanding on the intent of the PEP 578.
Building a sandbox using audit hooks is *explicitly* excluded from the PEP 578 design:
https://www.python.org/dev/peps/pep-0578/#why-not-a-sandbox
See also the PEP 551 for more details.
The problem is that these two PEPs are not well summarized in the Python documentation, especially in the sys.addaudithook() documentation:
https://docs.python.org/dev/library/sys.html#sys.addaudithook
The documentation should better describe limitations of audit hooks, and may also point to these two PEPs for more information (PEP 578 is already mentioned).
The bare minimum should be to explicitly say that it should not be used to build a sandbox.
By design, audit events is a whack a mole game. Rather than starting from a short "allow list", it is based on a "deny list", so it cannot be safe or complete by design. Every "forgotten" audit event can be "abused" to take the control on the application. And that's perfectly *fine*. It should just be documented.
----------
assignee: docs at python
components: Documentation
messages: 388299
nosy: christian.heimes, docs at python, steve.dower, vstinner
priority: normal
severity: normal
status: open
title: [doc] sys.addaudithook() documentation should be more explicit on its limitations
versions: Python 3.10
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43438>
_______________________________________
More information about the Python-bugs-list
mailing list