Geek Answers Handbook

Run untrusted python code that is able to communicate with the main program but is isolated from the system

Prologue: I know that many people have already tried to use Python code for the sandbox in Python and did not execute, but I did not see an approach to the additional script preprocessing in the form of text and rejecting scripts containing keywords such as __base__ that can be used for recover hidden __buuiltins__ . I think this approach is new and has not yet proven to be a failure - right?

I plan to write a multi-player strategy game in which players usually cannot interact with their units using keyboard and mouse commands, but only through scripts that they must send in order to change the automatic behavior of units. This is based on the idea of http://screeps.com .

I would like to write this in Python 3, but the main problem is the safe execution of unreliable scripts of foreign players on the server. I know that I cannot trust exec() or eval() even when passing empty globals and locals as the environment. I also know that simply erasing __builtins__ also does not work, because you can still easily restore them using Python introspection capabilities, as described here: http://nedbatchelder.com/blog/201302/finding_python_3_builtins.html

I already learned that PyPy or Jython may have some kind of sandbox function that will probably work for my purpose, but I would prefer to stay with the CPython help interpreter. In addition, I could only find examples where these sandbox functions work for entire programs, but none of them consists of the main program, which runs untrusted scripts as child threads and communicates effectively with them.

But I think that I have one more chance: I can pre-process the presented scripts literally and look for strings like __class__ or __base__ and reject scripts containing these keywords. I would also have to replace eval() and exec() with a script with my own protected functions, which also refuse to run code containing these keywords.

Will this approach, along with overwriting all potentially dangerous elements (which ones?) Using the globals custom argument for exec() be safe? What keywords should I look for?

If not, why does it fail? Can you suggest a better solution?

+7
python security interpreter execution
source share
1 answer

I'm not sure this is a good idea. There are possibilities to use pypy or even a dedicated python sandbox project that has already dealt with a lot of system isolation. But the first requires a lot of work to create a secure environment, and the second does not support Python 3.x

But the author of pysandbox stopped development since 2013 because he announced github on his website

pysandbox BROKEN BY DESIGN, go to the new sandbox solution (run python in the sandbox, not vice versa!) https://lwn.net/Articles/574215/ *

If you can accept the limited syntax, it would be much safer to define the highlighted grammar and create your own interpreter with PythonLexYacc .

I have to admit that this is more hints than the complete answer, but this is the best I can do now (and the python sandbox did not refer to the previous SO question

+1
source share

More articles:


All Articles