沙箱 [英] Sandboxes

问题描述

我是python的新手，我正在将其用作dotnet项目中的嵌入式

脚本引擎我正在努力。我现在正在使用Python for Net播放

（ http://www.zope.org/Members/Brian/PythonNet）

的东西，它似乎运作良好。


Google搜索有关在沙盒中保护Python的信息似乎

表示有一些内置功能，但它们并不是真的值得信赖。这是正确的吗？


就我的目的而言，我真的只是想让用户在沙盒中运行，只需要使用

访问语言，操作一些在

应用程序中发布的对象（如果

适用，可能会给它们一些字符串和数学库）。


我想知道如果预先解析传入的脚本

并拒绝包含import的那些脚本会有效吗？我也有应用程序

将可信导入的（简短）列表注入脚本，然后将

传递给解释器。

从理论上讲，我希望这可能意味着脚本编写者可以访问他们需要的东西，而无法添加任何其他内容。


这足够吗？是否有任何缺点或巨大的漏洞？

我预计我还需要阻止''exec''和''eval''

防止导入在预解析之后被混淆。


或者这是一个无望的原因？


最后，不管怎样，都会任何人都推荐一个不同的脚本引擎

，这可能更适合我想要完成的事情，我可能没有看到过b $ b。我不需要太多;它需要使用C＃，

并能够轻松地与已发布的界面进行交互。我也想要

来利用热门这个词。语言而不是模糊的东西。


我也看了Javascript，但是找不到将一个

解释器嵌入到C＃应用程序中的方法。 JScript中有一些CodeDom的东西，但是

似乎倒退了......太过分了;我真的不想为数百个2行和3行脚本编译

临时程序集......而且VSA

的东西已被标记为已弃用，没有明显的继承者......似乎好像我在错误的时间跳进去了。 :)


欢迎任何想法，见解或评论。原谅我缺乏Python

精明......我现在只玩了几个小时;

碰到python for net之后链接。


-regards，

Dave

Hi,

I''m extremely new to python, and am looking at using it as an embedded
script engine in a dotnet project I''m working on. I''m currently playing
with the "Python for Net" (http://www.zope.org/Members/Brian/PythonNet)
stuff, and it seems to work well.

Googling for information on securing Python in a "sandbox" seems
indicate that there are some built in features, but they aren''t really
trustworthy. Is that correct?

For my purposes, I really just want to let users run in a sandbox, with
access to only the language, manipuate a few published objects in the
application (and perhaps give them some string and math libraries if
applicable).

I was wondering if it would be effective to pre-parse incoming scripts
and reject those containing "import"? I''d also have the application
inject the (short) list of trusted imports to the script before passing
it to the interpreter.

In theory I''m hoping this would mean script writers would have access to
the stuff they need and no way to add in anything else.

Would this sufficient? Are there any drawbacks or giant gaping holes?
I''m anticipating that I''d also need to block ''exec'' and ''eval'' to
prevent an import from being obfuscated past the pre-parse.

Or is this a hopeless cause?

Finally, either way, would anyone recommend a different script engine
that might be more suitable for what I''m trying to accomplish that I
might not have looked at. I don''t need much; it needs to work with C#,
and be able to easily interact with ''published'' interface. I''d also like
to leverage a "popular" language instead of something obscure.

I also looked at Javascript, but couldn''t find a way to embed an
interpreter into a C# app. There''s some CodeDom stuff with JScript, but
that seemed backwards...overkill; I don''t really want to compile
temporary assemblies for hundreds of 2 and 3 line scripts... and the VSA
stuff has been marked deprecated with no apparent successor... seems
like I jumped into this at precisely the wrong time. :)

Any thoughts, insights, or comments welcome. Forgive my lack of Python
savvy... I''ve only been playing with it for a few hours now; after
bumping into the "python for net" link.

-regards,
Dave

推荐答案

>这还够吗？是否有任何缺点或巨大的漏洞？

> Would this sufficient? Are there any drawbacks or giant gaping holes?

我预计我还需要阻止''exec''和''eval''以防止导入从预先解析后的混淆。

或者这是一个无望的事业？


是的。有很多关于此的讨论，并且有很多不同的方法来克服这些强加的限制 - 它不会起作用。

最后，无论哪种方式，都会任何人都推荐一个不同的脚本引擎，它可能更适合我想要完成的，我可能没有看过。我不需要太多;它需要使用C＃，
并能够轻松地与已发布的界面进行交互。我也希望
能够利用受欢迎的语言而不是模糊的东西。

I''m anticipating that I''d also need to block ''exec'' and ''eval'' to
prevent an import from being obfuscated past the pre-parse.

Or is this a hopeless cause?
Yes. There have been numerous discussions about this, and there are so
many different ways to overcome such imposed limitations - it won''t work.

Finally, either way, would anyone recommend a different script engine
that might be more suitable for what I''m trying to accomplish that I
might not have looked at. I don''t need much; it needs to work with C#,
and be able to easily interact with ''published'' interface. I''d also like
to leverage a "popular" language instead of something obscure.

也许是LUA？我只是听说它非常适合这样的任务。


对我来说，总体问题是：为什么会瘫痪？你是什​​么？b $ b害怕你的用户会这样做会对你或他人造成伤害？有一些问题

有效的理由，我一般都不会质疑。例如。小程序和

之类的。那么实际的用例是什么？


问候，


Diez

Maybe LUA? I only heard that it''s well suited for such tasks.

The overall question for me is: Why crippled acess at all? What do you
fear your users could do that harms you or others? There are of coures
valid reasons, I don''t question that generally. E.g. applets and the
like. So what is the actual usecase?

Regards,

Diez

42 <无**** @ nospam.com>写道：

42 <no****@nospam.com> writes:

Google搜索有关在沙箱中保护Python的信息。似乎
表明有一些内置的功能，但它们并不是真的值得信赖。那是对的吗？


是的。

就我的目的而言，我真的只是想让用户在沙箱中运行，只能访问语言，操作
应用程序中的一些已发布对象（如果适用，可能会给它们一些字符串和数学库）。


如果它们是恶意的，这就是在寻找麻烦。

我想知道预先解析传入的脚本是否有效
和拒绝包含import的那些？我也有应用程序
在将脚本传递给解释器之前将可信导入的（简短）列表注入脚本。


不，这还不够。

这还够吗？是否有任何缺点或巨大的漏洞？
我预计我还需要阻止''exec''和''eval''以防止导入过去被混淆预解析。

或者这是一个无望的原因？

Googling for information on securing Python in a "sandbox" seems
indicate that there are some built in features, but they aren''t really
trustworthy. Is that correct?
Yes.
For my purposes, I really just want to let users run in a sandbox, with
access to only the language, manipuate a few published objects in the
application (and perhaps give them some string and math libraries if
applicable).
If they are malicious, this is asking for trouble.
I was wondering if it would be effective to pre-parse incoming scripts
and reject those containing "import"? I''d also have the application
inject the (short) list of trusted imports to the script before passing
it to the interpreter.
No, that''s not enough.
Would this sufficient? Are there any drawbacks or giant gaping holes?
I''m anticipating that I''d also need to block ''exec'' and ''eval'' to
prevent an import from being obfuscated past the pre-parse.

Or is this a hopeless cause?

是的。使用Java和Javascript甚至很难实现这样的安全性。

Yes. It''s even difficult with Java and Javascript, which were designed
to have such security.

>谷歌搜索有关在沙盒中保护Python的信息似乎

> Googling for information on securing Python in a "sandbox" seems

表明有一些内置功能，但它们并不是真的值得信赖。这是正确的吗？

为了我的目的，我真的只是想让用户在沙盒中运行，只能访问语言，操纵一些已发布的对象。
应用程序（如果适用，可能会给它们一些字符串和数学库）。

indicate that there are some built in features, but they aren''t really
trustworthy. Is that correct?

For my purposes, I really just want to let users run in a sandbox, with
access to only the language, manipuate a few published objects in the
application (and perhaps give them some string and math libraries if
applicable).

这取决于您所需的安全级别。如果你想让它成为黑客防范的b
，这是一个失败的原因。如果您正在创建一个仅提供事故保护的环境，那么就可以做到这一点。

It depends on your desired level of security. If you want to make it
hacker-proof, it is a lost cause. If you''re creating an environment
that just offers protection against accidents, that can be done.

这篇关于沙箱的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！