禁用标准。和Python沙箱实现中的文件I / O. [英] Disabling std. and file I/O in Python sandbox implementation

问题描述

我正在尝试设置Python沙箱，并希望禁止访问标准和文件I / O.我在正在运行的Python服务器中运行沙箱。

I'm trying to set up a Python sandbox and want to forbid access to standard and file I/O. I am running the sandbox inside of a running Python server.

我已经查看了像 RestrictedPython 这样的模块 PyPy ;但是，我希望能够在运行的Python服务器中编译沙箱代码，而不是通过外部进程。

I've already looked at modules like RestrictedPython and PyPy; however, I want to be able to compile the sandbox code inside of my running Python server, not through an external process.

是否有其他方法可以阻止对命令的访问喜欢打印， raw_input ，或打开？上述模块是否可以在正在运行的Python程序中编译沙箱代码的方式使用？

Are there any alternative ways to prevent access to commands like print, raw_input, or open? Could the aforementioned modules be used in a way where sandbox code is compiled in a running Python program?

最糟糕的是，如何阻止访问 raw_input ？

At worst, how would you prevent access to raw_input?

编辑：根据这个关于安全评估Python代码的教程，是否可以传入一个被操纵的 builtins 模块？

According to this tutorial on safely evaluating Python code, would it be possible to pass in a manipulated builtins module?

推荐答案

对此的粗略共识是CPython的复杂性和内省能力为不可靠的企图将部分翻译列入黑名单。我相信其中一项主要尝试是tav的 safelite 。 导致CPython崩溃也不难，这打开了另一条从运行任意代码中被利用的路径。从任意代码中避免资源耗尽或CPU使用DoS可能无法在进程中进行（您需要监视程序，系统限制等）。

The rough consensus on this is that the complexity and introspection abilities of CPython make for unreliable attempts of blacklisting parts of the interpreter. I believe one of the major attempts was tav's safelite. It's also not that hard to cause CPython to crash, which opens another path to be exploited from running arbitrary code. Avoiding resource exhaustion or CPU-use DoS from arbitrary code is probably impossible to do in-process (you'd need a watchdog, system limits, etc.).

Something对于想要在Python中使用沙盒代码执行的人来说至关重要的是避免滚动自己（或者只是修改 sys ， __ builtins __ ）：很容易让自己相信它坚如磐石，却错过了一些绕过你保护的明显的解决方法。请记住，Python过去常常包含一个提供此类保护的模块，甚至包含可以逃避限制的明显问题。 IIRC，很容易将非限制性物体（通过内省）捕捞到受限制的环境中。

Something crucial for people wanting to have sandboxed code execution in Python is to avoid rolling your own (or simply modifying sys, __builtins__): it's very easy to convince yourself it's rock solid and yet miss some obvious workaround that bypasses your protection. Keep in mind Python used to include a module that offered this kind of protection and even that had glaring issues that allowed to escape its restrictions. IIRC, it was vulnerable to fishing non-restricted objects (via introspection) into the restricted environment.

那就是说， pysandbox 由核心Python开发人员编写，他认为在限制例如安全时它是安全的IO（并且它包含了许多以前的研究）并且可以像你想要的那样在进程中运行（尽管有一些较少的功能，例如来自CPU和内存使用的DoS保护）。

That said, pysandbox is written by a core Python developer who believes it to be safe when restricting e.g. IO (and it incorporates a lot of previous research) and can run in-process like you want (albeit with a few less features, like DoS protections from CPU and memory use).

这篇关于禁用标准。和Python沙箱实现中的文件I / O.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！