RestrictedPython provides a restricted execution environment for Python, e.g. for running untrusted code.

Navigation

Verified details

These details have been verified by PyPI
Owner
Maintainers
Avatar for agroszer from gravatar.com agroszer Avatar for davisagli from gravatar.com davisagli Avatar for hannosch from gravatar.com hannosch Avatar for icemac from gravatar.com icemac Avatar for J1m from gravatar.com J1m Avatar for mgedmin from gravatar.com mgedmin Avatar for tlotze from gravatar.com tlotze Avatar for tseaver from gravatar.com tseaver

Unverified details

These details have not been verified by PyPI
Project links
Meta
Report project as malware

Project description

Overview

RestrictedPython provides a restricted_compile function that works like the built-in compile function, except that it allows the controlled and restricted execution of code:

>>> src = '''
... def hello_world():
...     return "Hello World!"
... '''
>>> from RestrictedPython import compile_restricted
>>> code = compile_restricted(src, '<string>', 'exec')

The resulting code can be executed using the exec built-in:

>>> exec(code)

As a result, the hello_world function is now available in the global namespace:

>>> hello_world()
'Hello World!'

Implementing a policy

RestrictedPython only provides the raw material for restricted execution. To actually enforce any restrictions, you need to supply a policy implementation by providing restricted versions of print, getattr, setattr, import, etc. These restricted implementations are hooked up by providing a set of specially named objects in the global dict that you use for execution of code. Specifically:

  1. _print_ is a callable object that returns a handler for print statements. This handler must have a write() method that accepts a single string argument, and must return a string when called. RestrictedPython.PrintCollector.PrintCollector is a suitable implementation.

  2. _write_ is a guard function taking a single argument. If the object passed to it may be written to, it should be returned, otherwise the guard function should raise an exception. _write is typically called on an object before a setattr operation.

  3. _getattr_ and _getitem_ are guard functions, each of which takes two arguments. The first is the base object to be accessed, while the second is the attribute name or item index that will be read. The guard function should return the attribute or subitem, or raise an exception.

  4. __import__ is the normal Python import hook, and should be used to control access to Python packages and modules.

  5. __builtins__ is the normal Python builtins dictionary, which should be weeded down to a set that cannot be used to get around your restrictions. A usable “safe” set is RestrictedPython.Guards.safe_builtins.

To help illustrate how this works under the covers, here’s an example function:

def f(x):
    x.foo = x.foo + x[0]
    print x
    return printed

and (sort of) how it looks after restricted compilation:

def f(x):
    # Make local variables from globals.
    _print = _print_()
    _write = _write_
    _getattr = _getattr_
    _getitem = _getitem_

    # Translation of f(x) above
    _write(x).foo = _getattr(x, 'foo') + _getitem(x, 0)
    print >>_print, x
    return _print()

Examples

print

To support the print statement in restricted code, we supply a _print_ object (note that it’s a factory, e.g. a class or a callable, from which the restricted machinery will create the object):

>>> from RestrictedPython.PrintCollector import PrintCollector
>>> _print_ = PrintCollector

>>> src = '''
... print "Hello World!"
... '''
>>> code = compile_restricted(src, '<string>', 'exec')
>>> exec(code)

As you can see, the text doesn’t appear on stdout. The print collector collects it. We can have access to the text using the printed variable, though:

>>> src = '''
... print "Hello World!"
... result = printed
... '''
>>> code = compile_restricted(src, '<string>', 'exec')
>>> exec(code)

>>> result
'Hello World!\n'

Built-ins

By supplying a different __builtins__ dictionary, we can rule out unsafe operations, such as opening files:

>>> from RestrictedPython.Guards import safe_builtins
>>> restricted_globals = dict(__builtins__ = safe_builtins)

>>> src = '''
... open('/etc/passwd')
... '''
>>> code = compile_restricted(src, '<string>', 'exec')
>>> exec(code) in restricted_globals
Traceback (most recent call last):
  ...
NameError: name 'open' is not defined

Guards

Here’s an example of a write guard that never lets restricted code modify (assign, delete an attribute or item) except dictionaries and lists:

>>> from RestrictedPython.Guards import full_write_guard
>>> _write_ = full_write_guard
>>> _getattr_ = getattr

>>> class BikeShed(object):
...     colour = 'green'
...
>>> shed = BikeShed()

Normally accessing attriutes works as expected, because we’re using the standard getattr function for the _getattr_ guard:

>>> src = '''
... print shed.colour
... result = printed
... '''
>>> code = compile_restricted(src, '<string>', 'exec')
>>> exec(code)

>>> result
'green\n'

However, changing an attribute doesn’t work:

>>> src = '''
... shed.colour = 'red'
... '''
>>> code = compile_restricted(src, '<string>', 'exec')
>>> exec(code)
Traceback (most recent call last):
  ...
TypeError: attribute-less object (assign or del)

As said, this particular write guard (full_write_guard) will allow restricted code to modify lists and dictionaries:

>>> fibonacci = [1, 1, 2, 3, 4]
>>> transl = dict(one=1, two=2, tres=3)
>>> src = '''
... # correct mistake in list
... fibonacci[-1] = 5
... # one item doesn't belong
... del transl['tres']
... '''
>>> code = compile_restricted(src, '<string>', 'exec')
>>> exec(code)

>>> fibonacci
[1, 1, 2, 3, 5]
>>> sorted(transl.keys())
['one', 'two']

Changes

3.4.2 (2007/07/28)

  • Changed homepage URL to the CheeseShop site

  • Greatly improved README.txt

3.4.1 (2007/06/23)

  • Fixed Collector/#2295 (Zope 2, PythonScripts)

3.4.0 (2007/06/04)

  • RestrictedPython now has its own release cycle as a separate egg.

  • Synchronized with RestrictedPython from Zope 2 tree.

3.2.0 (2006/01/05)

  • Corresponds to the verison of the RestrictedPython package shipped as part of the Zope 3.2.0 release.

  • No changes from 3.1.0.

3.1.0 (2005/10/03)

  • Corresponds to the verison of the RestrictedPython package shipped as part of the Zope 3.1.0 release.

  • Removed unused fossil module, ‘SafeMapping’.

  • Replaced use of deprecated ‘whrandom’ module with ‘random’ (aliased to ‘whrandom’ for backward compatibility).

3.0.0 (2004/11/07)

  • Corresponds to the verison of the RestrictedPython package shipped as part of the Zope X3.0.0 release.

Project details

Verified details

These details have been verified by PyPI
Owner
Maintainers
Avatar for agroszer from gravatar.com agroszer Avatar for davisagli from gravatar.com davisagli Avatar for hannosch from gravatar.com hannosch Avatar for icemac from gravatar.com icemac Avatar for J1m from gravatar.com J1m Avatar for mgedmin from gravatar.com mgedmin Avatar for tlotze from gravatar.com tlotze Avatar for tseaver from gravatar.com tseaver

Unverified details

These details have not been verified by PyPI
Project links
Meta

Release history Release notifications | RSS feed

8.1a1.dev0 pre-release

8.0

7.4

7.3

7.2

7.2a1.dev0 pre-release

7.1

7.0

7.0a2.dev0 pre-release

7.0a1.dev1 pre-release

7.0a1.dev0 pre-release

6.2

6.1

6.0

6.0a1.dev0 pre-release

5.4

5.3

5.3a1.dev0 pre-release yanked

Reason this release was yanked:

Replaced by 6.0a1.dev0

5.2

5.2a1.dev0 pre-release yanked

Reason this release was yanked:

no longer needed pre-release

5.1

5.0

4.0

4.0b8 pre-release

4.0b7 pre-release

4.0b6 pre-release

4.0b5 pre-release

4.0b4 pre-release

4.0b3 pre-release

4.0b2 pre-release

4.0b1 pre-release

4.0a3 pre-release

4.0a2 pre-release

4.0a1 pre-release

3.6.0

3.6.0a1 pre-release yanked

Reason this release was yanked:

old alpha

3.5.2

3.5.1

3.5.0

3.4.3

This version

3.4.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

RestrictedPython-3.4.2.tar.gz (32.6 kB view details)

Uploaded Source

Built Distribution

RestrictedPython-3.4.2-py2.4.egg (80.1 kB view details)

Uploaded Egg

File details

Details for the file RestrictedPython-3.4.2.tar.gz.

File metadata

File hashes

Hashes for RestrictedPython-3.4.2.tar.gz
Algorithm Hash digest
SHA256 3b6af39652ab12b04e4a3c798d5d47a08268bb3c1ccf01a8f7393526f84e3dc6
MD5 20947dbbb0c8a7e6304a1d632dd9ea3f
BLAKE2b-256 0a7e801c02a6f90a14ee511c19e39bb56be47e62e40f5e351e381fd42fda5e62

See more details on using hashes here.

File details

Details for the file RestrictedPython-3.4.2-py2.4.egg.

File metadata

File hashes

Hashes for RestrictedPython-3.4.2-py2.4.egg
Algorithm Hash digest
SHA256 84606bfbfbb03ed20c63c1625aee611b459c0012bd0cffe54eb132164a0650e5
MD5 cde0f77dcea0acae71f51be773376ab0
BLAKE2b-256 c643a0dabac04782ed0237c9ee676f4282f01d32a33d27d4696099a1e406fabc

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page