The safest way to prevent attacks using an R connector, is managing the permissions for the application on your own server. We do that with the RStudio Server application we have running. You have to take into account that R allows for many interactions with the system. Also file(), dir(), unlink() and all sys. functions have the potential to screen and possibly alter your system. Not only system() and eval() pose a security problem...
How to do this exactly, depends very much on both the server and OS settings and the specific R connector you use/build. But don't count on R alone to provide safety. Cheers Joris On Wed, Dec 19, 2012 at 12:28 PM, Michael Weylandt < michael.weyla...@gmail.com> wrote: > > > On Dec 18, 2012, at 12:48 PM, Etienne Sévin <e.se...@epiconcept.fr> wrote: > > > Hey all, > > > > We are building a R connector for our web application. > > The user can upload a script so it can be executed on the server. > > > > Is there a way to scan the script for insidious commands (writing on the > > disk for example) and purge them out? > > Completely, not that I know of: but grepping for system() and eval() > should catch a majority of red flags. > > Michael > > > I guess a simple search is not enough so is there a way to analyse the > > pseudo code? > > > > Best, > > > > Etienne > > > > ______________________________________________ > > R-devel@r-project.org mailing list > > https://stat.ethz.ch/mailman/listinfo/r-devel > > ______________________________________________ > R-devel@r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel > -- Joris Meys Statistical consultant Ghent University Faculty of Bioscience Engineering Department of Mathematical Modelling, Statistics and Bio-Informatics tel : +32 9 264 59 87 joris.m...@ugent.be ------------------------------- Disclaimer : http://helpdesk.ugent.be/e-maildisclaimer.php [[alternative HTML version deleted]]
______________________________________________ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
