On Tue, 5 Oct 2021 22:20:33 +0000 Thomas Subia <thomas.su...@fmindustries.com> wrote:
> Some co-workers are wondering about how secure R software is. I'm afraid that this question is too hard to answer without their threat model. Secure against what, specifically? > Is there any documentation on this which I can forward to them? Well, R is a programming language. It's Turing-complete (see halting problem), will happily run machine code from shared objects (see dyn.load, .C, .Call), and install.packages() is there to download third-party code from the Internet. But that's the case with all programming languages I know that are used for statistics, which aren't supposed to run untrusted code. Maybe you're concerned about data input/output instead. Functions are first-class objects, so it's possible to save and load them from data files. Not sure if there's a way to run code on data load, but you can do it on print() (e.g. print.nls(x) calling x$m$getAllPars()), so don't load()/readRDS() untrusted data files. There are known bugs in the deserialiser, too: https://bugs.r-project.org/show_bug.cgi?id=16034 Don't know if it's documented anywhere, though. What are your co-workers concerned about? -- Best regards, Ivan ______________________________________________ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
