Python is a Turing complete <https://en.wikipedia.org/wiki/Turing_completeness> programming language. To offer a Python interface for users in web context is a potential security risk. Web frameworks and Content Management Systems (CMS) want to offer their users as much extensibility as possible through the web (TTW). This also means to have permissions to add functionality via a Python Script.
There should be additional preventive measures taken to ensure integrity of the application and the server itself, according to information security best practice and unrelated to Restricted Python.
RestrictedPython defines a safe subset of the Python programming language. This is a common approach for securing a programming language. The Ada Ravenscar profile <https://en.wikipedia.org/wiki/Ravenscar_profile> is another example of such an approach.
Defining a secure subset of the language involves restricting the EBNF <https://en.wikipedia.org/wiki/Extended_Backus%E2%80%93Naur_form> elements and explicitly allowing or disallowing language features. Much of the power of a programming language derives from its standard and contributed libraries, so any calling of these methods must also be checked and potentially restricted. RestrictedPython generally disallows calls to any library that is not explicit whitelisted.
As Python is a scripting language that is executed by an interpreter. Any Python code that should be executed have to be explicit checked before executing a generated byte code by the interpreter.
Python itself offers three methods that provide such a workflow:
compile()
which compiles source code to byte codeexec
/exec()
which executes the byte code in the interpretereval
/eval()
which executes a byte code expression
Therefore RestrictedPython offers a replacement for the python builtin function compile()
(Python 2: https://docs.python.org/2/library/functions.html#compile / Python 3 https://docs.python.org/3/library/functions.html#compile). This method is defined as following:
compile(source, filename, mode [, flags [, dont_inherit]])
The definition of the compile()
method has changed over time, but its relevant parameters source
and mode
still remain.
There are three valid string values for mode
:
'exec'
'eval'
'single'
For RestrictedPython this compile()
method is replaced by:
compile_restricted(source, filename, mode [, flags [, dont_inherit]])
The primary parameter source
has to be a ASCII or unicode
string (With Python 2.6 an additional option for source was added: ast.AST
for Code generation <_sec_code_generation>
). Both methods either returns compiled byte code that the interpreter could execute or raise exceptions if the provided source code is invalid.
As compile
and compile_restricted
just compile the provided source code to byte code it is not sufficient to sandbox the environment, as all calls to libraries are still available.
The two methods / Statements:
exec
/exec()
eval
/eval()
have two parameters:
globals
locals
which are a reference to the Python builtins.
By modifying and restricting the available modules, methods and constants from globals and locals we could limit the possible calls.
Additionally RestrictedPython offers a way to define a policy which allows developers to protect access to attributes. This works by defining a restricted version of:
print
getattr
setattr
import
Also RestrictedPython provides three predefined, limited versions of Python's own __builtins__
:
safe_builtins
(by Guards.py)limited_builtins
(by Limits.py), which provides restricted sequence typesutilities_builtins
(by Utilities.py), which provides access for standard modules math, random, string and for sets.
One special shortcut:
safe_globals
for{'__builtins__': safe_builtins}
(by Guards.py)
Additional there exist guard functions to make attributes of Python objects immutable --> full_write_guard
(write and delete protected)