Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[RFC] Safe eval/exec for arbitrary code execution #4905

New issue
New issue
Open
Open
[RFC] Safe eval/exec for arbitrary code execution#4905
Labels
RFCRequest for comments
@dgheig

Description

@dgheig
dgheig
opened on Apr 20, 2023

Summary

Make different level of execution to provide a safe way of running arbitrary code.
I know it is not a goal of the python language, the CPython repository made it clear in many issues and I think it would be hard to change it. This issue is more suited for this version of the interpretor since this project aims for embedding.

Detailed Explanation

I often see projects that want the end-user to provide some code to be executed. The issue is that there is no safe way to allow that. There are many attempts: limiting the globals provided, with custom builtins, check of co_code to avoid assignation and other operation that would mutate object passed to eval, check for access to object attributes/methods that start with underscore...
This is a lot of work with big performance impact and still not safe depending on what we add in the eval context.

The recommendation is to sandbox the python project or use another language like lua. The sandbox solution doesn't work if your app is a web app that must be able to do many operations and that the evals are made by different customer: you would need to generate docker containers on the fly for each evaluation. Using lua inside python is quite a shame.

Since this project also aims for embedding python in apps, I think this would be a good idea.

  • One solution would be to have python construct in a different way as it is and take inspiration from V8: the basic language does not expose any IO/OS/... functionality. Then, as node does, these features can be injected in the python context. Having the possibility to tweak this when calling eval or running a python interpreter would be great
  • Have a minimal version of the parsor that, for example, won't allow accessing attributes that starts with an underscore
  • ..

Drawbacks, Rationale, and Alternatives

This should only add the possibility to remove some functionality to have a trusted version of the language, but this requires many changes in the code

Unresolved Questions

Thank you for reading, I really hope I did not miss a similar issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    RFCRequest for comments

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions