[Python-Dev] The pysandbox project is broken

Victor Stinner victor.stinner at gmail.com
Wed Nov 13 09:28:41 CET 2013


2013/11/13 Glenn Linderman <v+python at g.nevcal.com>:
> If it is an implementation issue, then perhaps a different implementation
> would help. Or perhaps a "safe compiler".

There is PyPy with its sandbox.

> If it is a language design issue, then a different implementation wouldn't
> help, it would require a new language, or a restricted subset. I'm not sure
> whether some of the onerous sounding restrictions result from language or
> implementation issues; some of them certainly sounded like implementation
> issues.
>
> A restricted subset, compiled by a validating compiler, might still be a
> useful language, even if the execution speed has to be reduced by a
> validating runtime.
>
> Perhaps exception handling for exceptions hit inside a sandbox need to stop
> at the sandbox boundary. That is, exceptions within the sandbox stay within
> the sandbox, and exceptions generated due to sandbox calls to the
> implementation need to stay outside the sandbox, and then sanitized and
> limited information passed back in to the sandbox.
>
> Perhaps a different/restricted set of builtins must be provided within the
> sandbox.

The problem is to draw a line between the trusted namespace and the
untrusted namespace. Tracebacks are just one example, there are too
many other examples. Just another example: from types.__bases__, you
may reach all available types in Python, even "sensitive" types.

If you cannot draw a line because it is too complex, it probably means
that it's simpler to consider that the whole Python process is
untrusted. In this case, you have to put the sandbox outside Python,
not inside.

The second problem is that if you modify the Python language and write
a limited implementation of Python, it is no more the Python language.
What is the purpose of your sandbox if you cannot use the full Python
language and the stdlib?

It also depends on you use the sandbox. If it's just to evaluate basic
mathematic expressions, it's easier to use Python with an external
sandbox.

If you want to plug the sandbox "in your application", it's more
complex because you have to give access to your sensitive data through
a proxy, so the proxy must be carefully written.

Victor


More information about the Python-Dev mailing list