Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>We do this for some of our internal tools</p> <p>What we do protects us from exception issues and discourages any attempts by the users to get overly creative in the config scripts. However it doesn't protect us from infinite loops or actively malicious third parties.</p> <p>The core of the approach here is to run the script in a locked down exec.</p> <ol> <li><p>First we go through the __ builtin __ module and del everything we don't want them to be able to touch, especially __ import __. We actually do this in a context manager which backs the original values up and dels them on the way in and then restores the original values on the way back out.</p></li> <li><p>Next we create an empty dictionary to be the config scripts namespace.</p></li> <li><p>Then we exec the config with the namespace.</p></li> <li><p>The exec is of course wrapped in a try except that will catch anything.</p></li> <li><p>And finally we inspect the namespace to extract the variables we are interested in.</p></li> </ol> <p>Points to note here:</p> <ol> <li><p>It might be tempting to prepopulate the namespace with stuff that might be useful to the config script, but you want to be very careful doing that you quickly open up hooks back into the host program.</p></li> <li><p>The config scripts can still create functions and classes so you might get back something that looks like a string for example, but is actually an arbitrary blob of executable code.</p></li> </ol> <p>Because of these we impose the restriction that our config scripts are expected to produce pure primitive data structures (generally just ints, strings, lists, tuples and None) that we then separately verify.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload