Robin,
You could store that code as a string in the database. Then to run it
you could execute it asynchronously using something like django-celery.
Have celery fork off a separate python process for each instance of code
execution.
By running code asynchronously, badly behaved code(loop forever, long
sleeps) aren't a deal breaker. By forking off a separate process you
can do all kinds of things to create a security sandbox. You could run
the process in a chroot or even a virtual machine.
- Ryan
On Fri, Feb 15, 2013 at 11:14:50AM -0200, George Silva wrote:
> Hi Robin,
>
> I've tried doing this and abandoned the idea. The code still works, but
> it's not being actively used.
>
> I wrote this to work as a part of an ETL process custom made in Django.
> Basically I had field mappings and transformations, some of them fixed
> (conversion from str to int and the like) and custom transformations for
> each field and each row, that could be calculated by a user defined
> function.
>
> There are MANY potential problems for this approach, but you should be fine
> IF THE environment is controlled. That means:
>
> 1 - only super-authorized users can write these functions
> 2 - you can TRY to find dangerous code. that means finding whiles (while 1:
> pass can put you to sleep, for instance), dangerous imports, etc.
> 3 - I've used a common interface for the function. If the interface
> (parameters) are not the same, it won't work.
> 4 - namespace/sandbox the exec command
>
> this is how i basically did it:
>
> if not self._metodo_conversao:
> self._metodo_conversao = compile(self.metodo_conversao,
> "<string>", "exec")
>
> ns = {"__builtins__": __builtins__, "entrada": entrada,
> "campo_novo": campo_novo}
> exec self._metodo_conversao in ns
>
> self being the model instance and _metodo_conversao being a string, which
> contained the code.
>
> After all of these considerations, it is still UNSAFE to do such a thing
> for the general public. In my case this was a ETL process, so we might need
> different conversions. We found out that we only needed a few, so it wasn't
> wortht the trouble.
>
>
>
>
>
> On Fri, Feb 15, 2013 at 11:03 AM, Robin Fordham <ginge...@gmail.com> wrote:
>
> > Hi,
> >
> > I want to be able to allow users to write a custom function/object and
> > save it to the database, so django can call up the function when needed.
> >
> > I am aware of potential issues of users writing functions that could break
> > and/or exploit my app, this for internal use and can write some tests in if
> > needed.
> >
> > So essentially I want to parse a string and convert it to a function.
> >
> > Anyone got any pointers to send me in the right direction?
> >
> > Thanks.
> >
> > Robin.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Django users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to django-users+unsubscr...@googlegroups.com.
> > To post to this group, send email to django-users@googlegroups.com.
> > Visit this group at http://groups.google.com/group/django-users?hl=en.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> >
>
>
>
> --
> George R. C. Silva
> SIGMA Consultoria
> ----------------------------
> http://www.consultoriasigma.com.br/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
