[IronPython] Safe execution of python scripts on my .net application

Nicolás Buttarelli nbuttarelli at gmail.com
Tue Nov 3 21:07:42 CET 2009 

Hi again, thanks for your clear response.

I was trying to do what you proposed but it is not working. I am receiving
an exception:

*Test method
CadworX3WCFRestTest.IronPython.SafeScriptExecutionTest.writingAFileTest
threw exception:  System.Runtime.Serialization.SerializationException: Type
is not resolved for member
'Microsoft.Scripting.Hosting.ScriptRuntimeSetup,Microsoft.Scripting,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'..
*
I tried to find a solution but I couldn't. This is the minimal code that I
am running to get this exception (I have removed all the security stuff but
apparently that does not resolve the problem):

*AppDomain aSandboxedDomain = AppDomain.CreateDomain("Sandboxed Domain");*
*
*
*ScriptEngine engine = Python.CreateEngine(aSandboxedDomain);*
*ScriptSource source = engine.CreateScriptSourceFromString(pythonScript);*
*SriptScope scope = engine.CreateScope();*
*source.Execute(scope);*

The exception is thronged in this line:
*ScriptEngine engine = Python.CreateEngine(aSandboxedDomain);*


Do you have any idea which could be the problem?

Thanks again,
Nicolas

On Mon, Nov 2, 2009 at 10:25 PM, Dino Viehland <dinov at microsoft.com> wrote:

>  Assuming the app domain is setup properly then there’s no way for the
> Python code to elevate permissions (modulo CLR security bugs which are few
> and far between).  This is because IronPython its self is 100% security
> transparent and does not affect any security decisions or assert any form of
> trust – so it’s all up to the CLR to limit permissions.  So for example
> while you can access the file object, or import ctypes, or call various
> other Python APIs which would require trust you’ll get a security exception
> from the CLR when you don’t have permissions to do something.
>
>
>
> For more complex scenarios you might also have an object model which you
> expose to the application and inject in via its scope.  Once you’ve done
> that you’ll want to make sure that the object model is also secure.
>
>
>
>
>
> *From:* users-bounces at lists.ironpython.com [mailto:
> users-bounces at lists.ironpython.com] *On Behalf Of *Nicolás Buttarelli
> *Sent:* Monday, November 02, 2009 1:20 PM
> *To:* Discussion of IronPython
> *Subject:* Re: [IronPython] Safe execution of python scripts on my .net
> application
>
>
>
> Thanks for your response.
>
>
>
> But what happens with the python code? Does not exist a way to write some
> scripts that can do some damage to my app, the server, the database, etc?
>
>
>
> Thanks again,
>
> Nicolas
>
>
>
> On Mon, Nov 2, 2009 at 9:41 PM, Dino Viehland <dinov at microsoft.com> wrote:
>
> After creating your app domain you can do:
>
>
>
> ScriptEngine engine = Python.CreateEngine(someAppDomain);
>
>
>
> And then the rest of your code should work as it’s written.
>
>
>
>
>
> *From:* users-bounces at lists.ironpython.com [mailto:
> users-bounces at lists.ironpython.com] *On Behalf Of *Nicolás Buttarelli
> *Sent:* Monday, November 02, 2009 12:39 PM
> *To:* users at lists.ironpython.com
> *Subject:* [IronPython] Safe execution of python scripts on my .net
> application
>
>
>
> Sorry, I don't know if my previous message have arrived. So, here it is:
>
>
>
>
>
> Hello all,
>
>
>
> I am starting with python and I would like to add to my web application
> some web services. This services will allow the different clients of my
> application to execute some python scripts.
>
>
>
> I would like to know if someone did this before and how can I do this in a
> secure way. I mean, how can I do to restrict the environment where the
> scripts will be executed.
>
>
>
> In .net I can do this using the AppDoman and setting the permission set.
>
>
>
> AppDomain.CreateDomain( string friendlyName,
>                         Evidence securityInfo,
>                         AppDomainSetup info,
>                         PermissionSet grantSet,
>                         params StrongName[] fullTrustAssemblies);
>
>
>
>
>
> Is there a way to do the same with my python scripts?
>
>
>
> I am running them using this:
>
>
>
> ScriptEngine engine = Python.CreateEngine();
>
> ScriptSource source = engine.CreateScriptSourceFromString(scriptAsString);
>
> ScriptScope scope = engine.CreateScope();
>
> source.Execute(scope);
>
>
>
> Thanks in advance.
>
> Nicolas
>
>
> _______________________________________________
> Users mailing list
> Users at lists.ironpython.com
> http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.ironpython.com
> http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ironpython-users/attachments/20091103/43b2836c/attachment.html>

More information about the Ironpython-users mailing list