Hello all,
Supply chain attacks are becoming a pressing concern in software development
due to the large number of dependencies and multiple attack vectors. Using
third party modules (libraries, packages etc) is always a risk but the true
potential of these attacks is now being weaponized. One
Could you elaborate on how Python code can easily bypass that sort of
restriction?
>From my understanding, you can only do so with importlib by reading the raw
>source and evaluating it. In that case, I can just restrict importlib? Same
>with the open function which is from the io module which
With Python being a language heavily utilized in server and end-user
applications, I would take a different approach for both. I have to admit I
haven't thought much about the "normal user" in this case and focused primarily
on developers. Perhaps developers shipping an application ship the code
I override the import mechanism in cpython, so yes, the __import__ function is
also accounted for.
The sys.modules was something I had not considered, that's a good point. I will
have to look into it.
I am not sure how arbitrary code execution will be able to use native APIs
without importing t
Thank you for the insight. I have some more work to do! I will share on this
thread again when I've made further changes.
If you have some time, I would be grateful if you could share a few test cases
such as "bypass it by spinning off a new thread", or.
object.__subclasses__. code is not nece
Have you looked at the diff? It's not "1000+" commits as you claim. It's 17
commits with most being README changes. The base is not the master branch but
the 3.11.0 release.
https://github.com/python/cpython/compare/3.11...R9295:cpython:policy
I do not see why you cannot audit and run this (or
Thank you for your insight.
>I hope you are at least aware that over the years various multi-year attempts
>to create Python sandboxes ultimately failed to the point of being altogether
>abandoned.
Yes I am, I have looked at pysandbox and RestrictedPython and I believe my
approach, albeit very
I really appreciate the pointers, thank you. I will look into them.
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Mess
Makes sense, will do so.
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/ar
