Hello all,
Supply chain attacks are becoming a pressing concern in software development
due to the large number of dependencies and multiple attack vectors. Using
third party modules (libraries, packages etc) is always a risk but the true
potential of these attacks is now being weaponized. One
On Mon, 27 Feb 2023 at 02:32, python--- via Python-ideas
wrote:
> Currently, it only prevents module imports in a very elementary manner but
> perhaps it can be of use to spark a discussion for an implementation.
>
It only restricts module imports? Then it's almost completely useless.
Python cod
For such a thing to be useful, it will ultimately need to percolate up
to users to understand what they are getting themselves into by using
some application. Would this be correct in your view?
Would permissions be attached to individual modules? Packages? Would
they be declarative ahead of time,
Could you elaborate on how Python code can easily bypass that sort of
restriction?
>From my understanding, you can only do so with importlib by reading the raw
>source and evaluating it. In that case, I can just restrict importlib? Same
>with the open function which is from the io module which
With Python being a language heavily utilized in server and end-user
applications, I would take a different approach for both. I have to admit I
haven't thought much about the "normal user" in this case and focused primarily
on developers. Perhaps developers shipping an application ship the code
I think python's import system is modularized and extensible. You can write
restrictions in your program to limit how modules access external code.
I've also been using the RestrictedPython project from Zope foundation. It
overs a way of creating a sandbox environment for python quite easily by
lev
On Mon, 27 Feb 2023 at 04:56, python--- via Python-ideas
wrote:
>
> Could you elaborate on how Python code can easily bypass that sort of
> restriction?
>
> >From my understanding, you can only do so with importlib by reading the raw
> >source and evaluating it. In that case, I can just restrict
I override the import mechanism in cpython, so yes, the __import__ function is
also accounted for.
The sys.modules was something I had not considered, that's a good point. I will
have to look into it.
I am not sure how arbitrary code execution will be able to use native APIs
without importing t
On Mon, 27 Feb 2023 at 06:02, python--- via Python-ideas
wrote:
>
> I override the import mechanism in cpython, so yes, the __import__ function
> is also accounted for.
Okay, cool. (Like I said, I didn't feel like wading through >1000
commits to find out exactly what you'd changed.)
> The sys.m
Thank you for the insight. I have some more work to do! I will share on this
thread again when I've made further changes.
If you have some time, I would be grateful if you could share a few test cases
such as "bypass it by spinning off a new thread", or.
object.__subclasses__. code is not nece
On Mon, 27 Feb 2023 at 08:33, python--- via Python-ideas
wrote:
>
> Thank you for the insight. I have some more work to do! I will share on this
> thread again when I've made further changes.
>
> If you have some time, I would be grateful if you could share a few test
> cases such as "bypass i
11 matches
Mail list logo
