Untrusted code execution
Random832
random832 at fastmail.com
Thu Apr 7 10:33:01 EDT 2016
On Thu, Apr 7, 2016, at 08:13, Jon Ribbens wrote:
> > All the obvious, and even not-so-obvious, attack tools are gone:
> > eval, exec, getattr, type, __import__.
We don't even need to take these away, per se.
eval and exec could be replaced with functions that perform the
evaluation with the same rules in the same sandbox.
I posted yesterday a sketch of a "type" proxy class that even allows "if
type(x) is type".
getattr could be replaced with something that does runtime checks for if
an attribute is allowed. In principle, you could even have the AST
transform replace attempted underscore accesses with getattr, which
could check to allow whitelisted underscore-attributes.
> Indeed. The fundamental point is that we must not allow the attacker
> to have access to any of those things, or to gain access by using any
> of the tools which we have provided. I think this is not an impossible
> problem.
>
> > I think this approach is promising enough that Jon should take it to a few
> > other places for comments, to try to get more eyeballs. Stackoverflow and
> > Reddit's /r/python, perhaps.
>
> I'll post some example code on github in a bit and see what people
> think.
I've thrown together some stuff, in addition to my type example from
yesterday, including a module importer.
More information about the Python-list
mailing list