Disable pyimport by default, for security #45
Comments
|
I'm not sure if disabling pyimport would be sufficient. Running exec http://programmers.stackexchange.com/questions/191623/best-practices-for-execution-of-untrusted-code Read the post of Martijn Pieters. Robert On 6/4/2016 2:31 AM, Carson Lam wrote:
|
|
In my use case, I'll only inject a few simple functions into JavaScript, using the EvalJs constructor. I definitely won't be exposing things like exec, eval, type, os, subprocess, pickle, etc. In my mind, what I'm doing should already be safely sandboxed, unless it's somehow possible to inject code into the Python functions I added to the JavaScript scope... |
|
Myfunction.class.class will give you the type function. With that you can pretty much hack into anything. It's not the primary objects you need to worry about its the introspection. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- In my use case, I'll only inject a few simple functions into JavaScript, using the EvalJs constructor. I definitely won't be exposing things like exec, eval, type, os, subprocess, pickle, etc. In my mind, what I'm doing should already be safely sandboxed, unless it's somehow possible to inject code into the Python functions I added to the JavaScript scope... — |
|
Hmm, interesting. Thanks for the insight - I am new to this topic. I just did a quick test and it looks like I can't access myFunction.class.class from within Js2Py: >>> import js2py
>>> def hello(world):
... print(world)
... return world
>>> js = js2py.EvalJs({'hello': hello})
>>> js.execute('hello')
>>> js.execute('hello("world")')
'world'
>>> js.execute('hello.__class__')
>>> js.execute('hello.__class__.__class__')
Traceback (most recent call last):
File "<input>", line 1, in <module>
File "C:\Users\carso\env\lib\site-packages\js2py\evaljs.py", line 131, in execute
exec(compiled, self._context)
File "<EvalJS snippet>", line 2, in <module>
File "C:\Users\carso\env\lib\site-packages\js2py\base.py", line 263, in get
raise MakeError('TypeError', 'Undefiend and null dont have properties!')
js2py.base.PyJsException: TypeError: Undefiend and null dont have properties!Though it's unclear whether this is by design. |
|
My test confirmed this. Maybe it's not that unsafe after all although it What kind of app did you want to use it for? It sounds like a similar Robert On 6/4/2016 11:43 PM, Carson Lam wrote:
|
|
I hope to use Js2Py for parsing and executing PAC files, which contain a JavaScript function that accepts a URL and outputs the proxy server to use for that URL. One way to obtain a PAC file is to go up the DNS hierarchy using a known URL pattern, and using the first valid response. |
|
@PiotrDabkowski Can you explain the decision you've made here? In PyPAC, my solution to this problem was to monkeypatch Js2Py to disable |
|
Hey, Js2Py is insecure enough even without pyimport :) I mean I tried to make it secure as far as possible, but I cannot guarantee anything - removing pyimport makes exploiting Js2Py harder, but I am pretty sure its still possible. I you want I can add a flag disabling pyimport |
|
Do you have theories on other ways to break the security of Js2Py, even when pyimport is disabled? I'm curious to know, as this is something I'd like to explore, but I've only tried the most obvious potential security issues. I definitely would appreciate a flag to disable pyimport, because my monkeypatch method is fragile to internal changes within Js2Py. |
|
Done! Now you can call |
I'm exploring the use of this library for a project I'm working on, and it looks amazing. I am interested in using this library to parse and execute functions from potentially untrusted JavaScript files, so I am concerned by the availability of the
pyimportkeyword. Is it possible to add an option to enable/disable this feature, and have it disabled by default?Doing this would make the default behaviour of Js2Py much safer and similar to standard JavaScript.
The text was updated successfully, but these errors were encountered: