Prev: WANTED: Regular expressions for breaking TeX/LaTeX document into tokens
Next: [M2Crypto] Problems uploading to IIS using FTP over SSL
From: Victor Stinner on 26 Feb 2010 07:29 Hi, pysandbox is a new Python sandbox project under development. By default, untrusted code executed in the sandbox cannot modify the environment (write a file, use print or import a module). But you can configure the sandbox to choose exactly which features are allowed or not, eg. import sys module and read the file /etc/issue. I think that the project reached the "testable" stage. I launch a new challenge: try to escape from the sandbox. I'm unable to write strict rules. The goal is to access objects outside the sandbox. Eg. write into a file, import a module which is not in the whitelist, modify an object outside the sandbox, etc. To test the sandbox, you have 3 choices: - interpreter.py: interactive interpreter executed in the sandbox, use: --verbose to display the whole sandbox configuration, --features=help to enable help() function, --features=regex to enable regex, --help to display the help. - execfile.py <your_script.py>: execute your script in the sandbox. It has also --features option: use --features=stdout to be able to use the print instruction :-) - use directly the Sandbox class: use methods call(), execute() or createCallback() Don't use "with sandbox: ..." because there is known but with local frame variables. I think that I will later drop this syntax because of this bug. Except of debug_sandbox, I consider that all features are safe and so you can enable all features :-) There is no prize, it's just for fun! But I will add the name of hackers founding the best exploits. pysandbox is not ready for production, it's under heavy development. Anyway I *hope* that you will quickly find bugs! -- Use tests.py to found some examples of how you can escape a sandbox. pysandbox is protected against all methods described in tests.py ;-) See the README file to get more information about how pysandbox is implemented and get a list of other Python sandboxes. pysandbox is currently specific to CPython, and it uses some ugly hacks to patch CPython in memory. In the worst case it will crash the pysandbox Python process, that's all. I tested it under Linux with Python 2.5 and 2.6. The portage to Python3 is not done yet (is someone motivated to write a patch? :-)). -- Victor Stinner http://www.haypocalc.com/
From: Victor Stinner on 26 Feb 2010 07:35 Le vendredi 26 février 2010 13:29:33, Victor Stinner a écrit : > pysandbox is a new Python sandbox project ... I just forget to explain how to download it. Website: http://github.com/haypo/pysandbox/ Download the repository using git: git clone git://github.com/haypo/pysandbox.git or git clone http://github.com/haypo/pysandbox.git Or download the .zip or .tar.gz tarball using the "Download source" button on the website. -- Victor Stinner http://www.haypocalc.com/
From: Daniel Fetchinson on 26 Feb 2010 09:37 >> pysandbox is a new Python sandbox project Out of curiosity, the python sandbox behind google app engine is open source? If so, how is it different from your project, if not, anyone knows if it will be in the future? Cheers, Daniel -- Psss, psss, put it down! - http://www.cafepress.com/putitdown
From: Victor Stinner on 26 Feb 2010 10:04 Le vendredi 26 février 2010 15:37:43, Daniel Fetchinson a écrit : > >> pysandbox is a new Python sandbox project > > Out of curiosity, the python sandbox behind google app engine is open > source? If so, how is it different from your project, if not, anyone knows > if it will be in the future? I don't know this project. Do you have the URL of the project home page? Is it the "safelite.py" project? -- Victor Stinner http://www.haypocalc.com/
From: Daniel Fetchinson on 27 Feb 2010 12:37
On 2/26/10, Victor Stinner <victor.stinner(a)haypocalc.com> wrote: > Le vendredi 26 février 2010 15:37:43, Daniel Fetchinson a écrit : >> >> pysandbox is a new Python sandbox project >> >> Out of curiosity, the python sandbox behind google app engine is open >> source? If so, how is it different from your project, if not, anyone >> knows >> if it will be in the future? > > I don't know this project. Do you have the URL of the project home page? Is > it > the "safelite.py" project? It's google's hosting solution called app engine, for python web applications: http://code.google.com/appengine/docs/python/gettingstarted/ I guess they also have some kind of a sandbox if they let people run python on their machines, I'm not sure if it's open source though. Cheers, Daniel -- Psss, psss, put it down! - http://www.cafepress.com/putitdown |