Django project - Allow users to write a custom function and store in DB
Hi, I want to be able to allow users to write a custom function/object and save it to the database, so django can call up the function when needed. I am aware of potential issues of users writing functions that could break and/or exploit my app, this for internal use and can write some tests in if needed. So essentially I want to parse a string and convert it to a function. Anyone got any pointers to send me in the right direction? Thanks. Robin. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django project - Allow users to write a custom function and store in DB
Robin,
You could store that code as a string in the database. Then to run it
you could execute it asynchronously using something like django-celery.
Have celery fork off a separate python process for each instance of code
execution.
By running code asynchronously, badly behaved code(loop forever, long
sleeps) aren't a deal breaker. By forking off a separate process you
can do all kinds of things to create a security sandbox. You could run
the process in a chroot or even a virtual machine.
- Ryan
On Fri, Feb 15, 2013 at 11:14:50AM -0200, George Silva wrote:
> Hi Robin,
>
> I've tried doing this and abandoned the idea. The code still works, but
> it's not being actively used.
>
> I wrote this to work as a part of an ETL process custom made in Django.
> Basically I had field mappings and transformations, some of them fixed
> (conversion from str to int and the like) and custom transformations for
> each field and each row, that could be calculated by a user defined
> function.
>
> There are MANY potential problems for this approach, but you should be fine
> IF THE environment is controlled. That means:
>
> 1 - only super-authorized users can write these functions
> 2 - you can TRY to find dangerous code. that means finding whiles (while 1:
> pass can put you to sleep, for instance), dangerous imports, etc.
> 3 - I've used a common interface for the function. If the interface
> (parameters) are not the same, it won't work.
> 4 - namespace/sandbox the exec command
>
> this is how i basically did it:
>
> if not self._metodo_conversao:
> self._metodo_conversao = compile(self.metodo_conversao,
> "", "exec")
>
> ns = {"__builtins__": __builtins__, "entrada": entrada,
> "campo_novo": campo_novo}
> exec self._metodo_conversao in ns
>
> self being the model instance and _metodo_conversao being a string, which
> contained the code.
>
> After all of these considerations, it is still UNSAFE to do such a thing
> for the general public. In my case this was a ETL process, so we might need
> different conversions. We found out that we only needed a few, so it wasn't
> wortht the trouble.
>
>
>
>
>
> On Fri, Feb 15, 2013 at 11:03 AM, Robin Fordham wrote:
>
> > Hi,
> >
> > I want to be able to allow users to write a custom function/object and
> > save it to the database, so django can call up the function when needed.
> >
> > I am aware of potential issues of users writing functions that could break
> > and/or exploit my app, this for internal use and can write some tests in if
> > needed.
> >
> > So essentially I want to parse a string and convert it to a function.
> >
> > Anyone got any pointers to send me in the right direction?
> >
> > Thanks.
> >
> > Robin.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Django users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to django-users+unsubscr...@googlegroups.com.
> > To post to this group, send email to django-users@googlegroups.com.
> > Visit this group at http://groups.google.com/group/django-users?hl=en.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> >
>
>
>
> --
> George R. C. Silva
> SIGMA Consultoria
>
> http://www.consultoriasigma.com.br/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Re: Django project - Allow users to write a custom function and store in DB
I found this useful in doing something like that: http://lybniz2.sourceforge.net/safeeval.html http://effbot.org/zone/librarybook-core-eval.htm -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django project - Allow users to write a custom function and store in DB
Hi guys, Thanks for all the pointers! George / Bob - That's exactly the pointer I needed 'exec' or 'eval' Ryan - Celery is something I have been looking into, but I hadn't thought of using it to to put processes in a sandbox; I have a raspberry pi project with an array of LEDs and am building a Django front end to control them, few of the chaser functions are while loops which would hang up everything, so pushing them to a subprocess over celery should be ideal. BTW django + nginx + fastcgi runs surprisingly well on a pi! Thanks for the help guys! Robin. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django project - Allow users to write a custom function and store in DB
Very cool. Please post some notes about whole thign. On Fri, Feb 15, 2013 at 2:34 PM, Robin Fordham wrote: > Hi guys, > > Thanks for all the pointers! > > George / Bob - That's exactly the pointer I needed 'exec' or 'eval' > > Ryan - Celery is something I have been looking into, but I hadn't thought > of using it to to put processes in a sandbox; I have a raspberry pi project > with an array of LEDs and am building a Django front end to control them, > few of the chaser functions are while loops which would hang up everything, > so pushing them to a subprocess over celery should be ideal. BTW django + > nginx + fastcgi runs surprisingly well on a pi! > > Thanks for the help guys! > > Robin. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at http://groups.google.com/group/django-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- George R. C. Silva SIGMA Consultoria http://www.consultoriasigma.com.br/ -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Django project - Allow users to write a custom function and store in DB
> Very cool. > > Please post some notes about whole thign. Not as cool as it may sound, more me playing and trying to learn a bit of digital electronics and improve my coding skills. Video of my setup; http://youtu.be/MFISZPqdbD4 My code (note this is just the python object, django side of it is VERY experimental still!); https://bitbucket.org/gingebot/raspberry-pi-i2c-port-expander-play/overview -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
