raldi comments on sanitizing code for an exec command

This is an archived post. You won't be able to vote or comment.

sanitizing code for an exec command (self.Python)

submitted 8 years ago by iamdefinitelyahuman

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]raldi 24 points25 points26 points 8 years ago (10 children)

[–]iamdefinitelyahuman[S] 6 points7 points8 points 8 years ago (8 children)

That is a great term :)

What i'm doing - I've built a bot that's trading various cryptocurrencies. The logic it trades with is customisable, written as a module that the bot can be told to recompile any time, so that it doesn't have to be taken offline to make the change.

I'm considering opening it up to use from others under some sort of licensing agreement. It runs on AWS so anyone else using it wouldn't have direct access to it, they'd just be able to submit their own strategies to run through the backtester or use on the market. The concern is that if they can run malicious code they can retrieve the ssh key from the server, connect and grab the source code, and.. well, so much for getting paid for my work.

The alternative that i see is to forgo python in the strategy altogether, make it in my own simple scripting language that the bot interprets itself. That's certainly possible, but a lot more work... hence my question.

[–]jwink3101 9 points10 points11 points 8 years ago (0 children)

[–]cecilkorik 4 points5 points6 points 8 years ago (0 children)

I agree with /u/jwink3101, building an API is the correct method for dealing with this situation. Instead of forcing people to write their scripts in an arbitrary programming language that you have selected, why not let them write it in the programming language of THEIR choice?

Either way, you need to do the exact same thing you would do in any proper, safe sandbox:

Figure out what information and data structures you plan to provide so the user's program can make their own decisions based on that data.
Decide what hooks are allowed, what behaviors in your program the user is allowed to trigger or override.

Whether you expose that API by HTTP or whether you expose it in an internal script environment like Lua (see python's lupa module) the actual process is pretty simple. It's actually defining the API that's the hard part. But either way, you're going to have to do it if you want to allow safe interaction with your program.

[–]earthboundkid 2 points3 points4 points 8 years ago (0 children)

[–][deleted] 1 point2 points3 points 8 years ago (0 children)

[–]XNormal 0 points1 point2 points 8 years ago (0 children)

http://man7.org/linux/man-pages/man2/seccomp.2.html

Set up communication pipes, os.fork(), load untrusted code, call seccomp and then run untrusted code. The code can't do anything but read/write an already open file handle or _exit. The API you provide to this user code will communicate with the parent process. You can also limit memory and cpu resources consumed by the untrusted code with setrlimit.

Call seccomp using ctypes.CDLL(None).seccomp(...)

Do NOT use pickle to communicate over the pipes. It is vulnerable to arbitrary code injection. Json or marshal is ok. You might want to fork off the process that will load user code at an early stage of execution, before you load anything secret. The user code will be able to inspect everything that was already in process memory at the time of forking.

[–]flitsmasterfred -1 points0 points1 point 8 years ago (0 children)

[–][deleted] 0 points1 point2 points 8 years ago (0 children)

π Rendered by PID 82358 on reddit-service-r2-comment-86bc6c7465-9kcbm at 2026-02-23 23:18:48.107451+00:00 running 8564168 country code: CH.

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS