限制Python的语法以安全地执行用户代码。这是安全的方法吗? [英] Restricting Python's syntax to execute user code safely. Is this a safe approach?
问题描述
原始问题:
在python Web服务器上执行数学用户代码,最简单的安全方法是什么?
- 我希望能够在python网络服务器上运行用户提交的代码。该代码本质上将是简单和数学的。
由于需要Python这样小的子集,因此我目前的方法是将允许的白名单遍历Python的抽象语法树。函数和名称得到特殊对待;
As such a small subset of Python is required, my current approach is to whitelist allowable syntax by traversing Python's abstract syntax tree. Functions and names get special treatment; only explicitly whitelisted functions are allowed, and only unused names.
import ast
allowed_functions = set([
#math library
'acos', 'acosh', 'asin', 'asinh', 'atan', 'atan2', 'atanh',
'ceil', 'copysign', 'cos', 'cosh', 'degrees', 'e', 'erf',
'erfc', 'exp', 'expm1', 'fabs', 'factorial', 'floor', 'fmod',
'frexp', 'fsum', 'gamma', 'hypot', 'isinf', 'isnan', 'ldexp',
'lgamma', 'log', 'log10', 'log1p', 'modf', 'pi', 'pow', 'radians',
'sin', 'sinh', 'sqrt', 'tan', 'tanh', 'trunc',
#builtins
'abs', 'max', 'min', 'range', 'xrange'
])
allowed_node_types = set([
#Meta
'Module', 'Assign', 'Expr',
#Control
'For', 'If', 'Else',
#Data
'Store', 'Load', 'AugAssign', 'Subscript',
#Datatypes
'Num', 'Tuple', 'List',
#Operations
'BinOp', 'Add', 'Sub', 'Mult', 'Div', 'Mod', 'Compare'
])
safe_names = set([
'True', 'False', 'None'
])
class SyntaxChecker(ast.NodeVisitor):
def check(self, syntax):
tree = ast.parse(syntax)
self.visit(tree)
def visit_Call(self, node):
if node.func.id not in allowed_functions:
raise SyntaxError("%s is not an allowed function!"%node.func.id)
else:
ast.NodeVisitor.generic_visit(self, node)
def visit_Name(self, node):
try:
eval(node.id)
except NameError:
ast.NodeVisitor.generic_visit(self, node)
else:
if node.id not in safe_names and node.id not in allowed_functions:
raise SyntaxError("%s is a reserved name!"%node.id)
else:
ast.NodeVisitor.generic_visit(self, node)
def generic_visit(self, node):
if type(node).__name__ not in allowed_node_types:
raise SyntaxError("%s is not allowed!"%type(node).__name__)
else:
ast.NodeVisitor.generic_visit(self, node)
if __name__ == '__main__':
x = SyntaxChecker()
while True:
try:
x.check(raw_input())
except Exception as e:
print e
这似乎接受了必需的语法,但是我是编程的新手,可能会缺少许多安全漏洞。
This seems to accept the required syntax, but I am reasonably new to programming and could be missing any number of gaping security holes.
所以我的问题是:这是安全,是否有更好的方法,还有其他应采取的预防措施吗?
So my questions are: Is this secure, is there a better approach, and are there any other precautions I should be taking?
推荐答案
我注意到了两点仍然可以改善:
Two points I noticed that you could still improve:
您应该始终避免从某种形式的用户输入中生成的任何输出。在您的示例中,不允许的标识符未修改地镜像回到输出。可能会利用此漏洞,例如跨站点脚本。因此,我将另外转义任何此类错误消息以防止这种情况。
You should always escape any output that can be generated from some form of user input. In your example, the unallowed identifiers get mirrored unmodified back to the output. This could potentially be exploited, one example being Cross Site Scripting. Therefore I would additionally escape any such error message to prevent this.
您需要注意的另一件事是拒绝服务攻击。想象一下,有人鞭打了一个Ackermann函数和一个脚本,将其提交给服务器数千次。为了避免这种情况,您应该将提交的所有代码的执行时间都设置为时间错误。这是必不可少的,因为这种类型的攻击通常无意间发生-有人设法产生了无限循环。
Another thing you need to be aware of is Denial-of-Service attacks. Imagine someone whips up an Ackermann function and a script to submit it a couple of thousand times to your server... To prevent this, you should timebox the execution time of any code being submitted. This is essential, because this type of "attack" often happens unintentionally - someone managed to produce an infinite loop.
编辑:
最后,我还建议您更新Python版本,以防止 hashDoS攻击
Finally, I would also recommend to update your Python version to prevent a "hashDoS" attack.
这篇关于限制Python的语法以安全地执行用户代码。这是安全的方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
