Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output widgets could expose code from exceptions #203

Open
jeffyjefflabs opened this issue Jun 6, 2019 · 5 comments
Open

Output widgets could expose code from exceptions #203

jeffyjefflabs opened this issue Jun 6, 2019 · 5 comments

Comments

@jeffyjefflabs
Copy link
Contributor

This might just be a case of "don't do that" but I thought it was worth mentioning. If code runs as part of a callback and is using an Output widget, then exception tracebacks will be shown in the Output widget. Minimal example below.

I tried using get_ipython().set_custom_exc() to change the exception handler, but curiously that took effect on "regular" code but not code that was tied to an Output widget.

Related: #34, #186

import ipywidgets as widgets

def callback(w):
    with output:
        raise RuntimeError('oops')

output = widgets.Output()
button = widgets.Button(description='Run')
button.on_click(callback)
widgets.VBox([button, output])
@maartenbreddels
Copy link
Member

I think voila should not show stderr, what do you think @SylvainCorlay?

@martinRenou
Copy link
Member

Could it be an option? That would make sense to display errors sometimes. Say you have an upload button but your user tries to upload a malformed file, the user should get feedback through error messages.

Actually, I think it should display errors by default. You don't want to hide errors from users, nor from dashboard developers. If there are errors in the Notebook, you should be able to know it, and you should fix it.

@maartenbreddels
Copy link
Member

But stack traces leak code, so I think it should be behind some flag, or maybe have a dev mode, doesn't PHP do something like that as well?

@martinRenou
Copy link
Member

stack traces leak code

Oh I see

@jeffyjefflabs
Copy link
Contributor Author

I did some more digging, and this seems a little tricky. The reason set_custom_exc() doesn't affect Output widgets is that they explicitly show the traceback when the context manager exits. That call lands here in zmqshell. The exception info comes back in an error message and can't be captured (I tried), so I don't think suppressing stderr would work (and I'm not sure you'd want to do that anyway). And you can't just ignore (i.e. not render) outputs of type error because in this case it's part of the widget state. Maybe it makes sense for a change upstream in ipywidgets for the Output widget to use the ipython exception handler instead of directly showing the traceback? Then at least you could install a custom handler, either globally in voila or on a per-notebook basis if the author is concerned about this.

Also note that after #186, you now see exception tracebacks that are not wrapped up in an Output widget. Those you could take care of with a custom exception handler; e.g. show the exception message but not the traceback.

I should also mention that this isn't a major concern for my team - we have use cases where we don't want the dashboard user to modify the code, but we don't care if they see it. But I know it may be a concern for others.

@jeffyjefflabs jeffyjefflabs mentioned this issue Dec 10, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maartenbreddels @jeffyjefflabs @martinRenou