restricted execution

Evoque supports python expressions only. This means that python statements are already naturally restricted as when evaluated these will always raise a SyntaxError. The problem of restricting execution is thus reduced to the problem of making the eval python built-in safe. This is by no means an easy task, but at least with its more limited scope it is simpler than attempting to generically restrict or sandbox the python interpreter.

Running in restricted mode will (supposedly) make it impossible to manipulate tangible resources, such as files and sockets, from within a template. Protection of intangible resources, such as memory and CPU usage, is not (yet) provided (see below).

restricted: bool = False
This is the one domain init parameter that when set to True will initialize the domain to run in restricted execution mode. Setting this to True has therefore the following consequences:

  • Sets a dummy __builtins__ empty dict on the domain-wide globals dict used by eval.
  • Adds a top-level entry, domain-wide globals dict used by eval, for each builtin deemed safe.
  • At runtime scans all expressions before compiling them for "__" (double underscore) and if found will raise a LookupError.

Builtins deemed unsafe

All subclasses of BaseException are considered potentially unsafe and so are not made available as entries on the globals dict. Other python 2.5 __builtins__ considered unsafe are (defined in the list Domain.DISALLOW_BUILTINS):

DISALLOW_BUILTINS = ["_", "__debug__", "__doc__", "__import__", "__name__", "buffer", "callable", "classmethod", "coerce", "compile", "delattr", "dir", "eval", "execfile", "exit", "file", "getattr", "globals", "hasattr", "id", "input", "isinstance", "issubclass", "locals", "open", "quit", "raw_input", "reload", "setattr", "staticmethod", "super", "type", "vars"]

This may seem overly restrictive, but then templating should not require more than a small subset of python's possibilities, for convenience of doing simple progamming tasks e.g. enumerating over a list.

Is this enough?

Depending on paranoia level, probably not. Besides more testing to validate that the above effectively does not allow the template programmer to access and manipulate any tangible resources, it should still be possible to bring down the interpreter via DOS maliciousness, e.g. evaluating an expression for a very large multiplication to consume all available memory, or to take a very long time to finish. Further runtime analysis of expressions will be required to protect against intangible resources such as memory and CPU usage, and how best to add such protection is future work that is still to be done. Restricted execution mode should for now best be considered experimental.