Re: [R-pkg-devel] Sanitize Input Code for a Shiny App

2023-03-01 Thread Matthias Gondan
think about it and I’ll come back if I happen to put together a proof of concept. Best wishes, Matthias Von: Tomas Kalibera Gesendet: Mittwoch, 1. März 2023 09:01 An: Matthias Gondan; Bill Denney Cc: R Package Devel Betreff: Re: [R-pkg-devel] Sanitize Input Code for a Shiny App On 3/1/23 07:35

Re: [R-pkg-devel] Sanitize Input Code for a Shiny App

2023-03-01 Thread Tomas Kalibera
On 3/1/23 07:35, Matthias Gondan wrote: For the record, here's the documentation of the Prolog sandbox, https://www.swi-prolog.org/pldoc/doc/_SWI_/library/sandbox.pl You get an idea of the implementation by clicking at the ":-" icons. It does not seem too complicated, but I might be too opti

Re: [R-pkg-devel] Sanitize Input Code for a Shiny App

2023-02-28 Thread Matthias Gondan
For the record, here's the documentation of the Prolog sandbox, https://www.swi-prolog.org/pldoc/doc/_SWI_/library/sandbox.pl You get an idea of the implementation by clicking at the ":-" icons. It does not seem too complicated, but I might be too optimistic. It would be very nice to have such

Re: [R-pkg-devel] Sanitize Input Code for a Shiny App

2023-02-28 Thread Bill Denney
Hi Simon and Ivan, Thanks for confirming my suspicions. The most common case for our code would be generally trusted users within an organization. So, the main threat is lower. But, there may be scenarios that also allow use outside organizations. I think that in the end, we will likely do som

Re: [R-pkg-devel] Sanitize Input Code for a Shiny App

2023-02-26 Thread Simon Urbanek
Bill, the short answer is you can't limit anything at R level. Any attempts to create a list of "bad" commands are trivial to circumvent since you can compute on the language in R, so you can construct and call functions with trivial operations. Similarly, since R allows the loading of binary c

Re: [R-pkg-devel] Sanitize Input Code for a Shiny App

2023-02-26 Thread Ivan Krylov
On Sun, 26 Feb 2023 14:36:22 -0500 wrote: > What I'd like to be able to do is to sanitize the inputs to ensure > that it won't to things including installing packages, running system > commands, reading and writing to the filesystem, and accessing the > network. I'd like to allow the user to do

Re: [R-pkg-devel] Sanitize Input Code for a Shiny App

2023-02-26 Thread Matthias Gondan
Hi Bill, just for the records, the response could also be interesting for learnr developers https://github.com/rstudio/learnr Best wishes, Matthias Von: b...@denney.ws Gesendet: Sonntag, 26. Februar 2023 20:36 An: r-package-devel@r-project.org Betreff: [R-pkg-devel] Sanitize Input Code for

[R-pkg-devel] Sanitize Input Code for a Shiny App

2023-02-26 Thread bill
Hello, I'm working to develop a Shiny app where I'd like to have an advanced capability to accept user input and run the code. For the code received, I'd like to be able to prevent R from doing things other than working within the R session. For example, I want to prevent `system("rm -rf /*")