Only the latest minor release receives security patches. Older versions are best-effort.
| Version | Supported |
|---|---|
| 0.3.x | ✅ current |
| 0.2.x | |
| < 0.2 | ❌ not supported |
python_maithili executes user-supplied .dmai files. The sandbox in
maithili_dsl/cli.py is the project's primary trust boundary. It
enforces:
- Import whitelist. Only modules present in
MAITHILI_MODULES(the Maithili → Python module map) are importable from a.dmaifile. Raw Pythonimportstatements that were not translated from Maithili names are rejected by_validate_importsbeforeexecruns. The__import__builtin inside the sandbox is replaced with a wrapper that re-checks the whitelist at runtime. - Safe builtins. The execution namespace's
__builtins__is a curated dict (_SAFE_BUILTIN_NAMES). Notably absent:exec,eval,compile,open,breakpoint. Any.dmaiscript that calls these gets aNameErrortranslated to Maithili. - No shared globals.
execruns with a fresh globals dict — it cannot read or modify the CLI's own process state.
If you find a way to bypass any of these, please report it.
Please do not open a public issue for security problems. Instead:
- Email: jha.bishwas@gmail.com with the subject line
[SECURITY] python_maithiliand a proof-of-concept. - Or use GitHub's private vulnerability reporting at https://github.com/alphacrack/python-maithili-dsl/security/advisories/new
Please include:
- A
.dmaifile that demonstrates the issue. - The Python version and OS.
- What the sandbox should have prevented, and what actually happened.
- Acknowledgement: within 3 business days.
- Triage + severity classification: within 7 business days.
- Patch + coordinated disclosure: depends on severity; typically within 30 days for HIGH/CRITICAL findings.
In scope:
- Sandbox escape from within a
.dmaifile. - Ability to read or modify files outside the CWD without being invoked by an explicitly-whitelisted module call.
- Denial of service via a small
.dmaiinput (e.g., catastrophic regex backtracking in the transpiler).
Out of scope:
- Issues that require first compromising the machine running
python_maithili(e.g., modifying the installed package). - Social engineering.
- Resource-exhaustion attacks that require arbitrarily large input (basic DoS via huge files).