Hi Bill, just for the records, the response could also be interesting for learnr developers
https://github.com/rstudio/learnr Best wishes, Matthias Von: b...@denney.ws Gesendet: Sonntag, 26. Februar 2023 20:36 An: r-package-devel@r-project.org Betreff: [R-pkg-devel] Sanitize Input Code for a Shiny App Hello, I'm working to develop a Shiny app where I'd like to have an advanced capability to accept user input and run the code. For the code received, I'd like to be able to prevent R from doing things other than working within the R session. For example, I want to prevent `system("rm -rf /*")`. One method to achieve this is to run the R session within a Docker container and perform the security around the container. The user could do some things within the container, but they would be limited. What I'd like to be able to do is to sanitize the inputs to ensure that it won't to things including installing packages, running system commands, reading and writing to the filesystem, and accessing the network. I'd like to allow the user to do almost anything they want within R, so making a list of acceptable commands is not accomplishing the goal. I could try to do something like: * have acceptable packages loaded, only, * don't allow loading additional packages, * deny a set of known-bad commands (e.g. system, system2, etc.) * deny any attempt to run from additional packages (exclude calls with a double-colon or triple-colon) The method I just described seems like it would not work well because it assumes that the known-bad commands is comprehensive and that I'm being creative enough in ways that users could try to break things. Is there a good way to sanitize arbitrary code from users to prevent malicious behavior? Thanks, Bill [[alternative HTML version deleted]] ______________________________________________ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel [[alternative HTML version deleted]] ______________________________________________ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel
