Safe mode
Does the language implementation allow for a "safer mode" of execution? Usually termed Safe mode, a more realistic view is probably Safer mode or restricted mode. It is one thing to place restrictions on execution, and another thing entirely to allow execution of scripts from untrusted sources and assume nothing untoward will happen.
Along with a simple yes/no answer, describe what features are restricted when running in safe mode.
Go
Any code written in Go is considered to be 'safe' unless it uses one or more of the following features:
- The 'unsafe' package.
- The 'reflect' package.
- cgo.
Although 'normal' Go code uses pointers, arithmetic on them is not permitted and so they cannot be made to point to arbitrary locations in memory. However, the 'unsafe' package contains features which do allow one to perform pointer arithmetic with all the risks this entails.
The 'reflect' package allows one to inspect and manipulate objects of arbitrary types and exposes internal data structures such as string and slice headers. This can result in fragile code where mistakes which would normally be identified at compile time will instead manifest themselves as runtime panics.
'cgo' is Go's bridge to using C code. As such it is just as unsafe as writing C code directly.
Jsish
The jsish interpreter allows a -s, --safe command line switch to restrict access to the file system.
For example, given safer.jsi:
<lang javascript>File.write('/tmp/safer-mode.txt', 'data line');</lang>
- Output:
prompt$ jsish safer.jsi prompt$ jsish -s safer.jsi /home/btiffin/lang/jsish/safer.jsi:2: error: write access denied by safe interp: /tmp/safer-mode.txt (at or near "data line") ERROR
The Jsish implementation borrows many ideas from Tcl, and also includes an Interp module. These sub interpreters can also be set to run in a safer mode.
prompt$ jsish
# var si = new Interp({isSafe:true});
variable
# si.source('safer.jsi');
error: read access denied: /home/btiffin/lang/jsish/safer.jsi
ERROR
Some control is allowed over the restrictions provided by safer mode.
<lang javascript>var interp1 = new Interp({isSafe:true, safeWriteDirs:['/tmp'], , safeReadDirs:['/tmp']});</lang>
REXX
For running REXX on IBM mainframes, REXX supports the option Scan for the trace statement.
This allows the program to be processed (and be checked for syntax errors), but commands to the "host system" won't be executed.
However, not all REXXes support this option.
Regina REXX supports a --restricted command line option, and embedded interpreters can also be set to run restricted. Many commands are disabled in this mode, including most access to hosted services. The intrinsic FUNCTION REXX() extension in GnuCOBOL defaults to restricted mode, and programmers must explicitly use FUNCTION REXX-UNRESTRICTED(script, args...) for access to the full REXX programming environment from that COBOL implementation.
<lang cobol> identification division.
program-id. rexxtrial.
environment division.
configuration section.
repository.
function all intrinsic.
data division.
working-storage section.
procedure division.
*> First attempt fails and return statement does not execute
display rexx("ADDRESS SYSTEM; 'ls rexxtrial.cob'; return 'fail'")
display "Exception: " exception-status
*> Second is allowed and succeeds
display "Try with rexx-unrestricted"
display rexx-unrestricted(
"ADDRESS SYSTEM; 'ls -l rexxtrial.cob'; return 'success'")
display "No exception raised: " exception-status
goback.
end program rexxtrial.</lang>
- Output:
$ cobc -xj rexxtrial.cob
1 +++ 'ls rexxtrial.cob'
Error 95 running "gnucobol", line 1: [Restricted feature used in "safe" mode]
Error 95.5: [Running external commands invalid in "safe" mode]
Exception: EC-IMP-SCRIPT
Try with rexx-unrestricted
-rw-rw-r--. 1 btiffin btiffin 727 Feb 19 04:26 rexxtrial.cob
success
No exception raised: