PHP Eval as Action Class #69
Comments
|
First let mey say I have also thought alot about such an action. The problem is that it has a security issue. In the worst case if someone breaks into the system the hacker would have the option to execute arbitrary php code and thus may have the option to get complete control over the server. With the V8 layer we are save so that the user can only execute specific functions. On the other side I understand that it would be great to quickly develop an action, as you said, through the backend. Iam currently experimenting with online code editors like https://orionhub.org which would be ideal to provide an online editor to edit and create action files. Another solution would be to use some sort of PHP sandbox where we can restrict the evaled code but unfortunately I have not found a good solution yet. So thx for the input but I think currently the best way is to simply create a PHP file in the |
|
How about an option to enable/disable it via configuration file?
|
|
The problem which I see here is that if such an action is available it will be used regardless of the settings or warnings. I think its important that a system is secure by default. Basically this means we must either somehow "sandbox" the executed PHP code or use a scripting language (i.e. we could also add a Lua engine, maybe there are also other scripting languages) but I really dont want to eval arbitrary user input code on a server. |
|
Have you tried Corveda/PHPSandbox ? |
|
I did not know this package but I will check whether this could work. Thus far I have looked at https://github.com/zenovich/runkit which looks promising but is a native PHP extension which makes it more difficult to install. But if we create a new adapter then we could also specify such dependencies. |
|
To give a short status update. In the background I have been working on a sandbox library which allows to execute a specific subset of PHP. I have just released the first version and if it gets more mature I will start to create an action which uses the sandbox to execute user supplied PHP code. |
|
Actually this is now implemented in the 1.2 release. |
It is great for quick prototyping.
Yes, I am aware that we have V8. But not every server has V8. Also on some server we are not allowed to install additional software.
Actually I have implemented it as adapter
https://github.com/zaniar/fusio-adapter-php-eval
and added syntax highlight support to backend app
https://github.com/zaniar/fusio-backend
I think it should came as default with fusio-adapter-php.
An ability to export it to file is also nice.
What do you think?
The text was updated successfully, but these errors were encountered: