2

I read this Q&A and I'm not convince it applies here.

I have an application where I want to allow mostly preset formulas to be set in widgets: for instance return last part of a string using str.partition.

This isn't a webapp but a wx.widgets one, only company employees can use it so the risk is minimal, but how could I apply a minimum of security to avoid malignant attacks or simply unaware user errors?

I thought of scanning for ; so one cannot import a module or pass 2 instructions, and also scan for os. and sys. (which are already imported in my program so no need to import them to use os.remove), and too bad if os. or sys. are in expressions, that is very unlikely.

Would that be reasonably enough or am I missing a blatant safety/security gap?

Community
  • 1
  • 1
Jean-François Fabre
  • 137,073
  • 23
  • 153
  • 219
  • The problem is one could write `"__import__(chr(111)+'s').system('clear')"`. So you hide `os`... – Willem Van Onsem Mar 10 '17 at 13:53
  • good remark. I'll search for `__import__` too then. – Jean-François Fabre Mar 10 '17 at 13:54
  • I think [this](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html) article explains that it is *near* to impossible (or perhaps even fundamentally impossible) to completely shield `eval(..)`. – Willem Van Onsem Mar 10 '17 at 13:55
  • Perhaps [this answer](http://stackoverflow.com/a/4236328/67579) can be an initial step to make `eval(..)` more safe. – Willem Van Onsem Mar 10 '17 at 13:58
  • thanks for all those comments. Maybe my question is a duplicate of the answer quoted above. I could just allow string manipulations for instance (the only thing I need) – Jean-François Fabre Mar 10 '17 at 14:12
  • If it's internal then why check for attacks at all? If you feel you can't trust people, then don't half-ass it. Either avoid all attacks using some sort of DSL or let it be. – solarc Mar 10 '17 at 14:38

0 Answers0