В Wed, 31 Dec 2025 15:19:55 +0000 "Evans, Richard K. (GRC-H000) via R-help" <[email protected]> пишет:
> In the same way that it is already a normal practice to use > "ImageMagick" as a microservice for generating thumbnails and other > size variations of images, I think "R" would be the perfect > microservice for charts. This should be fine on wikis that only trusted people can write, but otherwise will need very careful consideration. R is a little too powerful; it was not designed to be a security boundary. Much like ImageMagick needs to be carefully tuned (see /etc/ImageMagick*/policy.xml) to avoid resource exhaustion attacks from images that are compressed too well (does anyone want an 1e6 by 1e6 bitmap?), image formats that are Turing-complete (PostScript) and plain vulnerabilities in rarely-used decoders, an R microservice would need to be protected to prevent arbitrary code execution attacks somehow. The "forbidden commands" approach [1] is inadequate: yes, eval() is forbidden, but an attacker can still construct new calls and stash them into other objects whose methods call eval() for them [2]. The problem is compounded by the fact that for best plot output, the R plugin would need both arbitrary code execution (because plots are described in code) and third-party packages (e.g. 'latticeExtra', or the whole 'ggplot2' ecosystem). Managing an R library of packages is not hard, and neither is running child processes confined to a temporary, read-only sandbox, but it's not the kind of maintenance that MediaWiki administrators are used to. -- Best regards, Ivan [1] https://github.com/sigbertklinke/R/blob/master/ForbiddenCommandsR.php [2] See my useR2025 talk and an older but related blog post: https://www.youtube.com/watch?v=gDBbRZXKx1s https://aitap.github.io/2024/05/02/unserialize.html ______________________________________________ [email protected] mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide https://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
