diff options
Diffstat (limited to 'lib/kross/python/scripts/RestrictedPython')
11 files changed, 1132 insertions, 0 deletions
diff --git a/lib/kross/python/scripts/RestrictedPython/Eval.py b/lib/kross/python/scripts/RestrictedPython/Eval.py new file mode 100644 index 00000000..841067a1 --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/Eval.py @@ -0,0 +1,118 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## +"""Restricted Python Expressions + +$Id: Eval.py 24763 2004-05-17 05:59:28Z philikon $ +""" + +__version__='$Revision: 1.6 $'[11:-2] + +from RestrictedPython import compile_restricted_eval + +from string import translate, strip +import string + +nltosp = string.maketrans('\r\n',' ') + +default_guarded_getattr = getattr # No restrictions. + +def default_guarded_getitem(ob, index): + # No restrictions. + return ob[index] + +PROFILE = 0 + +class RestrictionCapableEval: + """A base class for restricted code.""" + + globals = {'__builtins__': None} + rcode = None # restricted + ucode = None # unrestricted + used = None + + def __init__(self, expr): + """Create a restricted expression + + where: + + expr -- a string containing the expression to be evaluated. + """ + expr = strip(expr) + self.__name__ = expr + expr = translate(expr, nltosp) + self.expr = expr + self.prepUnrestrictedCode() # Catch syntax errors. + + def prepRestrictedCode(self): + if self.rcode is None: + if PROFILE: + from time import clock + start = clock() + co, err, warn, used = compile_restricted_eval( + self.expr, '<string>') + if PROFILE: + end = clock() + print 'prepRestrictedCode: %d ms for %s' % ( + (end - start) * 1000, `self.expr`) + if err: + raise SyntaxError, err[0] + self.used = tuple(used.keys()) + self.rcode = co + + def prepUnrestrictedCode(self): + if self.ucode is None: + # Use the standard compiler. + co = compile(self.expr, '<string>', 'eval') + if self.used is None: + # Examine the code object, discovering which names + # the expression needs. + names=list(co.co_names) + used={} + i=0 + code=co.co_code + l=len(code) + LOAD_NAME=101 + HAVE_ARGUMENT=90 + while(i < l): + c=ord(code[i]) + if c==LOAD_NAME: + name=names[ord(code[i+1])+256*ord(code[i+2])] + used[name]=1 + i=i+3 + elif c >= HAVE_ARGUMENT: i=i+3 + else: i=i+1 + self.used=tuple(used.keys()) + self.ucode=co + + def eval(self, mapping): + # This default implementation is probably not very useful. :-( + # This is meant to be overridden. + self.prepRestrictedCode() + code = self.rcode + d = {'_getattr_': default_guarded_getattr, + '_getitem_': default_guarded_getitem} + d.update(self.globals) + has_key = d.has_key + for name in self.used: + try: + if not has_key(name): + d[name] = mapping[name] + except KeyError: + # Swallow KeyErrors since the expression + # might not actually need the name. If it + # does need the name, a NameError will occur. + pass + return eval(code, d) + + def __call__(self, **kw): + return self.eval(kw) diff --git a/lib/kross/python/scripts/RestrictedPython/Guards.py b/lib/kross/python/scripts/RestrictedPython/Guards.py new file mode 100644 index 00000000..4fbdcad1 --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/Guards.py @@ -0,0 +1,136 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## +__version__ = '$Revision: 1.14 $'[11:-2] + +import exceptions + +# This tiny set of safe builtins is extended by users of the module. +# AccessControl.ZopeGuards contains a large set of wrappers for builtins. +# DocumentTemplate.DT_UTil contains a few. + +safe_builtins = {} + +for name in ['False', 'None', 'True', 'abs', 'basestring', 'bool', 'callable', + 'chr', 'cmp', 'complex', 'divmod', 'float', 'hash', + 'hex', 'id', 'int', 'isinstance', 'issubclass', 'len', + 'long', 'oct', 'ord', 'pow', 'range', 'repr', 'round', + 'str', 'tuple', 'unichr', 'unicode', 'xrange', 'zip']: + + safe_builtins[name] = __builtins__[name] + +# Wrappers provided by this module: +# delattr +# setattr + +# Wrappers provided by ZopeGuards: +# __import__ +# apply +# dict +# enumerate +# filter +# getattr +# hasattr +# iter +# list +# map +# max +# min +# sum + +# Builtins that are intentionally disabled +# compile - don't let them produce new code +# dir - a general purpose introspector, probably hard to wrap +# execfile - no direct I/O +# file - no direct I/O +# globals - uncontrolled namespace access +# input - no direct I/O +# locals - uncontrolled namespace access +# open - no direct I/O +# raw_input - no direct I/O +# vars - uncontrolled namespace access + +# There are several strings that describe Python. I think there's no +# point to including these, although they are obviously safe: +# copyright, credits, exit, help, license, quit + +# Not provided anywhere. Do something about these? Several are +# related to new-style classes, which we are too scared of to support +# <0.3 wink>. coerce, buffer, and reload are esoteric enough that no +# one should care. + +# buffer +# classmethod +# coerce +# eval +# intern +# object +# property +# reload +# slice +# staticmethod +# super +# type + +for name in dir(exceptions): + if name[0] != "_": + safe_builtins[name] = getattr(exceptions, name) + +def _write_wrapper(): + # Construct the write wrapper class + def _handler(secattr, error_msg): + # Make a class method. + def handler(self, *args): + try: + f = getattr(self.ob, secattr) + except AttributeError: + raise TypeError, error_msg + f(*args) + return handler + class Wrapper: + def __len__(self): + # Required for slices with negative bounds. + return len(self.ob) + def __init__(self, ob): + self.__dict__['ob'] = ob + __setitem__ = _handler('__guarded_setitem__', + 'object does not support item or slice assignment') + __delitem__ = _handler('__guarded_delitem__', + 'object does not support item or slice assignment') + __setattr__ = _handler('__guarded_setattr__', + 'attribute-less object (assign or del)') + __delattr__ = _handler('__guarded_delattr__', + 'attribute-less object (assign or del)') + return Wrapper + +def _full_write_guard(): + # Nested scope abuse! + # safetype and Wrapper variables are used by guard() + safetype = {dict: True, list: True}.has_key + Wrapper = _write_wrapper() + def guard(ob): + # Don't bother wrapping simple types, or objects that claim to + # handle their own write security. + if safetype(type(ob)) or hasattr(ob, '_guarded_writes'): + return ob + # Hand the object to the Wrapper instance, then return the instance. + return Wrapper(ob) + return guard +full_write_guard = _full_write_guard() + +def guarded_setattr(object, name, value): + setattr(full_write_guard(object), name, value) +safe_builtins['setattr'] = guarded_setattr + +def guarded_delattr(object, name): + delattr(full_write_guard(object), name) +safe_builtins['delattr'] = guarded_delattr diff --git a/lib/kross/python/scripts/RestrictedPython/Limits.py b/lib/kross/python/scripts/RestrictedPython/Limits.py new file mode 100644 index 00000000..3b782e65 --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/Limits.py @@ -0,0 +1,46 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## + +__version__='$Revision: 1.5 $'[11:-2] + +limited_builtins = {} + +def limited_range(iFirst, *args): + # limited range function from Martijn Pieters + RANGELIMIT = 1000 + if not len(args): + iStart, iEnd, iStep = 0, iFirst, 1 + elif len(args) == 1: + iStart, iEnd, iStep = iFirst, args[0], 1 + elif len(args) == 2: + iStart, iEnd, iStep = iFirst, args[0], args[1] + else: + raise AttributeError, 'range() requires 1-3 int arguments' + if iStep == 0: raise ValueError, 'zero step for range()' + iLen = int((iEnd - iStart) / iStep) + if iLen < 0: iLen = 0 + if iLen >= RANGELIMIT: raise ValueError, 'range() too large' + return range(iStart, iEnd, iStep) +limited_builtins['range'] = limited_range + +def limited_list(seq): + if isinstance(seq, str): + raise TypeError, 'cannot convert string to list' + return list(seq) +limited_builtins['list'] = limited_list + +def limited_tuple(seq): + if isinstance(seq, str): + raise TypeError, 'cannot convert string to tuple' + return tuple(seq) +limited_builtins['tuple'] = limited_tuple diff --git a/lib/kross/python/scripts/RestrictedPython/Makefile.am b/lib/kross/python/scripts/RestrictedPython/Makefile.am new file mode 100644 index 00000000..3d5b3c73 --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/Makefile.am @@ -0,0 +1,4 @@ +restrictedpythondir = $(kde_datadir)/kross/python/RestrictedPython +restrictedpython_SCRIPTS = __init__.py Eval.py Guards.py Limits.py \ + MutatingWalker.py PrintCollector.py RCompile.py RestrictionMutator.py \ + SelectCompiler.py Utilities.py diff --git a/lib/kross/python/scripts/RestrictedPython/MutatingWalker.py b/lib/kross/python/scripts/RestrictedPython/MutatingWalker.py new file mode 100644 index 00000000..b0b8c9ce --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/MutatingWalker.py @@ -0,0 +1,74 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## + +__version__='$Revision: 1.6 $'[11:-2] + +from SelectCompiler import ast + +ListType = type([]) +TupleType = type(()) +SequenceTypes = (ListType, TupleType) + +class MutatingWalker: + + def __init__(self, visitor): + self.visitor = visitor + self._cache = {} + + def defaultVisitNode(self, node, walker=None, exclude=None): + for name, child in node.__dict__.items(): + if exclude is not None and name in exclude: + continue + v = self.dispatchObject(child) + if v is not child: + # Replace the node. + node.__dict__[name] = v + return node + + def visitSequence(self, seq): + res = seq + for idx in range(len(seq)): + child = seq[idx] + v = self.dispatchObject(child) + if v is not child: + # Change the sequence. + if type(res) is ListType: + res[idx : idx + 1] = [v] + else: + res = res[:idx] + (v,) + res[idx + 1:] + return res + + def dispatchObject(self, ob): + ''' + Expected to return either ob or something that will take + its place. + ''' + if isinstance(ob, ast.Node): + return self.dispatchNode(ob) + elif type(ob) in SequenceTypes: + return self.visitSequence(ob) + else: + return ob + + def dispatchNode(self, node): + klass = node.__class__ + meth = self._cache.get(klass, None) + if meth is None: + className = klass.__name__ + meth = getattr(self.visitor, 'visit' + className, + self.defaultVisitNode) + self._cache[klass] = meth + return meth(node, self) + +def walk(tree, visitor): + return MutatingWalker(visitor).dispatchNode(tree) diff --git a/lib/kross/python/scripts/RestrictedPython/PrintCollector.py b/lib/kross/python/scripts/RestrictedPython/PrintCollector.py new file mode 100644 index 00000000..15a1c180 --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/PrintCollector.py @@ -0,0 +1,23 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## + +__version__='$Revision: 1.4 $'[11:-2] + +class PrintCollector: + '''Collect written text, and return it when called.''' + def __init__(self): + self.txt = [] + def write(self, text): + self.txt.append(text) + def __call__(self): + return ''.join(self.txt) diff --git a/lib/kross/python/scripts/RestrictedPython/RCompile.py b/lib/kross/python/scripts/RestrictedPython/RCompile.py new file mode 100644 index 00000000..0a538657 --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/RCompile.py @@ -0,0 +1,235 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## +"""Compiles restricted code using the compiler module from the +Python standard library. +""" + +__version__='$Revision: 1.6 $'[11:-2] + +from compiler import ast, parse, misc, syntax, pycodegen +from compiler.pycodegen import AbstractCompileMode, Expression, \ + Interactive, Module, ModuleCodeGenerator, FunctionCodeGenerator, findOp + +import MutatingWalker +from RestrictionMutator import RestrictionMutator + + +def niceParse(source, filename, mode): + try: + return parse(source, mode) + except: + # Try to make a clean error message using + # the builtin Python compiler. + try: + compile(source, filename, mode) + except SyntaxError: + raise + # Some other error occurred. + raise + +class RestrictedCompileMode(AbstractCompileMode): + """Abstract base class for hooking up custom CodeGenerator.""" + # See concrete subclasses below. + + def __init__(self, source, filename): + self.rm = RestrictionMutator() + AbstractCompileMode.__init__(self, source, filename) + + def parse(self): + return niceParse(self.source, self.filename, self.mode) + + def _get_tree(self): + tree = self.parse() + MutatingWalker.walk(tree, self.rm) + if self.rm.errors: + raise SyntaxError, self.rm.errors[0] + misc.set_filename(self.filename, tree) + syntax.check(tree) + return tree + + def compile(self): + tree = self._get_tree() + gen = self.CodeGeneratorClass(tree) + self.code = gen.getCode() + + +def compileAndTuplize(gen): + try: + gen.compile() + except SyntaxError, v: + return None, (str(v),), gen.rm.warnings, gen.rm.used_names + return gen.getCode(), (), gen.rm.warnings, gen.rm.used_names + +def compile_restricted_function(p, body, name, filename, globalize=None): + """Compiles a restricted code object for a function. + + The function can be reconstituted using the 'new' module: + + new.function(<code>, <globals>) + + The globalize argument, if specified, is a list of variable names to be + treated as globals (code is generated as if each name in the list + appeared in a global statement at the top of the function). + """ + gen = RFunction(p, body, name, filename, globalize) + return compileAndTuplize(gen) + +def compile_restricted_exec(s, filename='<string>'): + """Compiles a restricted code suite.""" + gen = RModule(s, filename) + return compileAndTuplize(gen) + +def compile_restricted_eval(s, filename='<string>'): + """Compiles a restricted expression.""" + gen = RExpression(s, filename) + return compileAndTuplize(gen) + +def compile_restricted(source, filename, mode): + """Replacement for the builtin compile() function.""" + if mode == "single": + gen = RInteractive(source, filename) + elif mode == "exec": + gen = RModule(source, filename) + elif mode == "eval": + gen = RExpression(source, filename) + else: + raise ValueError("compile_restricted() 3rd arg must be 'exec' or " + "'eval' or 'single'") + gen.compile() + return gen.getCode() + +class RestrictedCodeGenerator: + """Mixin for CodeGenerator to replace UNPACK_SEQUENCE bytecodes. + + The UNPACK_SEQUENCE opcode is not safe because it extracts + elements from a sequence without using a safe iterator or + making __getitem__ checks. + + This code generator replaces use of UNPACK_SEQUENCE with calls to + a function that unpacks the sequence, performes the appropriate + security checks, and returns a simple list. + """ + + # Replace the standard code generator for assignments to tuples + # and lists. + + def _gen_safe_unpack_sequence(self, num): + # We're at a place where UNPACK_SEQUENCE should be generated, to + # unpack num items. That's a security hole, since it exposes + # individual items from an arbitrary iterable. We don't remove + # the UNPACK_SEQUENCE, but instead insert a call to our _getiter_() + # wrapper first. That applies security checks to each item as + # it's delivered. codegen is (just) a bit messy because the + # iterable is already on the stack, so we have to do a stack swap + # to get things in the right order. + self.emit('LOAD_GLOBAL', '_getiter_') + self.emit('ROT_TWO') + self.emit('CALL_FUNCTION', 1) + self.emit('UNPACK_SEQUENCE', num) + + def _visitAssSequence(self, node): + if findOp(node) != 'OP_DELETE': + self._gen_safe_unpack_sequence(len(node.nodes)) + for child in node.nodes: + self.visit(child) + + visitAssTuple = _visitAssSequence + visitAssList = _visitAssSequence + + # Call to generate code for unpacking nested tuple arguments + # in function calls. + + def unpackSequence(self, tup): + self._gen_safe_unpack_sequence(len(tup)) + for elt in tup: + if isinstance(elt, tuple): + self.unpackSequence(elt) + else: + self._nameOp('STORE', elt) + +# A collection of code generators that adds the restricted mixin to +# handle unpacking for all the different compilation modes. They +# are defined here (at the end) so that can refer to RestrictedCodeGenerator. + +class RestrictedFunctionCodeGenerator(RestrictedCodeGenerator, + pycodegen.FunctionCodeGenerator): + pass + +class RestrictedExpressionCodeGenerator(RestrictedCodeGenerator, + pycodegen.ExpressionCodeGenerator): + pass + +class RestrictedInteractiveCodeGenerator(RestrictedCodeGenerator, + pycodegen.InteractiveCodeGenerator): + pass + +class RestrictedModuleCodeGenerator(RestrictedCodeGenerator, + pycodegen.ModuleCodeGenerator): + + def initClass(self): + ModuleCodeGenerator.initClass(self) + self.__class__.FunctionGen = RestrictedFunctionCodeGenerator + + +# These subclasses work around the definition of stub compile and mode +# attributes in the common base class AbstractCompileMode. If it +# didn't define new attributes, then the stub code inherited via +# RestrictedCompileMode would override the real definitions in +# Expression. + +class RExpression(RestrictedCompileMode, Expression): + mode = "eval" + CodeGeneratorClass = RestrictedExpressionCodeGenerator + +class RInteractive(RestrictedCompileMode, Interactive): + mode = "single" + CodeGeneratorClass = RestrictedInteractiveCodeGenerator + +class RModule(RestrictedCompileMode, Module): + mode = "exec" + CodeGeneratorClass = RestrictedModuleCodeGenerator + +class RFunction(RModule): + """A restricted Python function built from parts.""" + + CodeGeneratorClass = RestrictedModuleCodeGenerator + + def __init__(self, p, body, name, filename, globals): + self.params = p + self.body = body + self.name = name + self.globals = globals or [] + RModule.__init__(self, None, filename) + + def parse(self): + # Parse the parameters and body, then combine them. + firstline = 'def f(%s): pass' % self.params + tree = niceParse(firstline, '<function parameters>', 'exec') + f = tree.node.nodes[0] + body_code = niceParse(self.body, self.filename, 'exec') + # Stitch the body code into the function. + f.code.nodes = body_code.node.nodes + f.name = self.name + # Look for a docstring. + stmt1 = f.code.nodes[0] + if (isinstance(stmt1, ast.Discard) and + isinstance(stmt1.expr, ast.Const) and + isinstance(stmt1.expr.value, str)): + f.doc = stmt1.expr.value + # The caller may specify that certain variables are globals + # so that they can be referenced before a local assignment. + # The only known example is the variables context, container, + # script, traverse_subpath in PythonScripts. + if self.globals: + f.code.nodes.insert(0, ast.Global(self.globals)) + return tree diff --git a/lib/kross/python/scripts/RestrictedPython/RestrictionMutator.py b/lib/kross/python/scripts/RestrictedPython/RestrictionMutator.py new file mode 100644 index 00000000..a8b3850e --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/RestrictionMutator.py @@ -0,0 +1,372 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## +"""Modify AST to include security checks. + +RestrictionMutator modifies a tree produced by +compiler.transformer.Transformer, restricting and enhancing the +code in various ways before sending it to pycodegen. + +$Revision: 1.13 $ +""" + +from SelectCompiler import ast, parse, OP_ASSIGN, OP_DELETE, OP_APPLY + +# These utility functions allow us to generate AST subtrees without +# line number attributes. These trees can then be inserted into other +# trees without affecting line numbers shown in tracebacks, etc. +def rmLineno(node): + """Strip lineno attributes from a code tree.""" + if node.__dict__.has_key('lineno'): + del node.lineno + for child in node.getChildren(): + if isinstance(child, ast.Node): + rmLineno(child) + +def stmtNode(txt): + """Make a "clean" statement node.""" + node = parse(txt).node.nodes[0] + rmLineno(node) + return node + +# The security checks are performed by a set of six functions that +# must be provided by the restricted environment. + +_apply_name = ast.Name("_apply_") +_getattr_name = ast.Name("_getattr_") +_getitem_name = ast.Name("_getitem_") +_getiter_name = ast.Name("_getiter_") +_print_target_name = ast.Name("_print") +_write_name = ast.Name("_write_") + +# Constants. +_None_const = ast.Const(None) +_write_const = ast.Const("write") + +_printed_expr = stmtNode("_print()").expr +_print_target_node = stmtNode("_print = _print_()") + +class FuncInfo: + print_used = False + printed_used = False + +class RestrictionMutator: + + def __init__(self): + self.warnings = [] + self.errors = [] + self.used_names = {} + self.funcinfo = FuncInfo() + + def error(self, node, info): + """Records a security error discovered during compilation.""" + lineno = getattr(node, 'lineno', None) + if lineno is not None and lineno > 0: + self.errors.append('Line %d: %s' % (lineno, info)) + else: + self.errors.append(info) + + def checkName(self, node, name): + """Verifies that a name being assigned is safe. + + This is to prevent people from doing things like: + + __metatype__ = mytype (opens up metaclasses, a big unknown + in terms of security) + __path__ = foo (could this confuse the import machinery?) + _getattr = somefunc (not very useful, but could open a hole) + + Note that assigning a variable is not the only way to assign + a name. def _badname, class _badname, import foo as _badname, + and perhaps other statements assign names. Special case: + '_' is allowed. + """ + if name.startswith("_") and name != "_": + # Note: "_" *is* allowed. + self.error(node, '"%s" is an invalid variable name because' + ' it starts with "_"' % name) + if name == "printed": + self.error(node, '"printed" is a reserved name.') + + def checkAttrName(self, node): + """Verifies that an attribute name does not start with _. + + As long as guards (security proxies) have underscored names, + this underscore protection is important regardless of the + security policy. Special case: '_' is allowed. + """ + name = node.attrname + if name.startswith("_") and name != "_": + # Note: "_" *is* allowed. + self.error(node, '"%s" is an invalid attribute name ' + 'because it starts with "_".' % name) + + def prepBody(self, body): + """Insert code for print at the beginning of the code suite.""" + + if self.funcinfo.print_used or self.funcinfo.printed_used: + # Add code at top for creating _print_target + body.insert(0, _print_target_node) + if not self.funcinfo.printed_used: + self.warnings.append( + "Prints, but never reads 'printed' variable.") + elif not self.funcinfo.print_used: + self.warnings.append( + "Doesn't print, but reads 'printed' variable.") + + def visitFunction(self, node, walker): + """Checks and mutates a function definition. + + Checks the name of the function and the argument names using + checkName(). It also calls prepBody() to prepend code to the + beginning of the code suite. + """ + self.checkName(node, node.name) + for argname in node.argnames: + if isinstance(argname, str): + self.checkName(node, argname) + else: + for name in argname: + self.checkName(node, name) + walker.visitSequence(node.defaults) + + former_funcinfo = self.funcinfo + self.funcinfo = FuncInfo() + node = walker.defaultVisitNode(node, exclude=('defaults',)) + self.prepBody(node.code.nodes) + self.funcinfo = former_funcinfo + return node + + def visitLambda(self, node, walker): + """Checks and mutates an anonymous function definition. + + Checks the argument names using checkName(). It also calls + prepBody() to prepend code to the beginning of the code suite. + """ + for argname in node.argnames: + self.checkName(node, argname) + return walker.defaultVisitNode(node) + + def visitPrint(self, node, walker): + """Checks and mutates a print statement. + + Adds a target to all print statements. 'print foo' becomes + 'print >> _print, foo', where _print is the default print + target defined for this scope. + + Alternatively, if the untrusted code provides its own target, + we have to check the 'write' method of the target. + 'print >> ob, foo' becomes + 'print >> (_getattr(ob, 'write') and ob), foo'. + Otherwise, it would be possible to call the write method of + templates and scripts; 'write' happens to be the name of the + method that changes them. + """ + node = walker.defaultVisitNode(node) + self.funcinfo.print_used = True + if node.dest is None: + node.dest = _print_target_name + else: + # Pre-validate access to the "write" attribute. + # "print >> ob, x" becomes + # "print >> (_getattr(ob, 'write') and ob), x" + node.dest = ast.And([ + ast.CallFunc(_getattr_name, [node.dest, _write_const]), + node.dest]) + return node + + visitPrintnl = visitPrint + + def visitName(self, node, walker): + """Prevents access to protected names as defined by checkName(). + + Also converts use of the name 'printed' to an expression. + """ + if node.name == 'printed': + # Replace name lookup with an expression. + self.funcinfo.printed_used = True + return _printed_expr + self.checkName(node, node.name) + self.used_names[node.name] = True + return node + + def visitCallFunc(self, node, walker): + """Checks calls with *-args and **-args. + + That's a way of spelling apply(), and needs to use our safe + _apply_ instead. + """ + walked = walker.defaultVisitNode(node) + if node.star_args is None and node.dstar_args is None: + # This is not an extended function call + return walked + # Otherwise transform foo(a, b, c, d=e, f=g, *args, **kws) into a call + # of _apply_(foo, a, b, c, d=e, f=g, *args, **kws). The interesting + # thing here is that _apply_() is defined with just *args and **kws, + # so it gets Python to collapse all the myriad ways to call functions + # into one manageable form. + # + # From there, _apply_() digs out the first argument of *args (it's the + # function to call), wraps args and kws in guarded accessors, then + # calls the function, returning the value. + # Transform foo(...) to _apply(foo, ...) + walked.args.insert(0, walked.node) + walked.node = _apply_name + return walked + + def visitAssName(self, node, walker): + """Checks a name assignment using checkName().""" + self.checkName(node, node.name) + return node + + def visitFor(self, node, walker): + # convert + # for x in expr: + # to + # for x in _getiter(expr): + # + # Note that visitListCompFor is the same thing. Exactly the same + # transformation is needed to convert + # [... for x in expr ...] + # to + # [... for x in _getiter(expr) ...] + node = walker.defaultVisitNode(node) + node.list = ast.CallFunc(_getiter_name, [node.list]) + return node + + visitListCompFor = visitFor + + def visitGetattr(self, node, walker): + """Converts attribute access to a function call. + + 'foo.bar' becomes '_getattr(foo, "bar")'. + + Also prevents augmented assignment of attributes, which would + be difficult to support correctly. + """ + self.checkAttrName(node) + node = walker.defaultVisitNode(node) + if getattr(node, 'in_aug_assign', False): + # We're in an augmented assignment + # We might support this later... + self.error(node, 'Augmented assignment of ' + 'attributes is not allowed.') + return ast.CallFunc(_getattr_name, + [node.expr, ast.Const(node.attrname)]) + + def visitSubscript(self, node, walker): + """Checks all kinds of subscripts. + + 'foo[bar] += baz' is disallowed. + 'a = foo[bar, baz]' becomes 'a = _getitem(foo, (bar, baz))'. + 'a = foo[bar]' becomes 'a = _getitem(foo, bar)'. + 'a = foo[bar:baz]' becomes 'a = _getitem(foo, slice(bar, baz))'. + 'a = foo[:baz]' becomes 'a = _getitem(foo, slice(None, baz))'. + 'a = foo[bar:]' becomes 'a = _getitem(foo, slice(bar, None))'. + 'del foo[bar]' becomes 'del _write(foo)[bar]'. + 'foo[bar] = a' becomes '_write(foo)[bar] = a'. + + The _write function returns a security proxy. + """ + node = walker.defaultVisitNode(node) + if node.flags == OP_APPLY: + # Set 'subs' to the node that represents the subscript or slice. + if getattr(node, 'in_aug_assign', False): + # We're in an augmented assignment + # We might support this later... + self.error(node, 'Augmented assignment of ' + 'object items and slices is not allowed.') + if hasattr(node, 'subs'): + # Subscript. + subs = node.subs + if len(subs) > 1: + # example: ob[1,2] + subs = ast.Tuple(subs) + else: + # example: ob[1] + subs = subs[0] + else: + # Slice. + # example: obj[0:2] + lower = node.lower + if lower is None: + lower = _None_const + upper = node.upper + if upper is None: + upper = _None_const + subs = ast.Sliceobj([lower, upper]) + return ast.CallFunc(_getitem_name, [node.expr, subs]) + elif node.flags in (OP_DELETE, OP_ASSIGN): + # set or remove subscript or slice + node.expr = ast.CallFunc(_write_name, [node.expr]) + return node + + visitSlice = visitSubscript + + def visitAssAttr(self, node, walker): + """Checks and mutates attribute assignment. + + 'a.b = c' becomes '_write(a).b = c'. + The _write function returns a security proxy. + """ + self.checkAttrName(node) + node = walker.defaultVisitNode(node) + node.expr = ast.CallFunc(_write_name, [node.expr]) + return node + + def visitExec(self, node, walker): + self.error(node, 'Exec statements are not allowed.') + + def visitYield(self, node, walker): + self.error(node, 'Yield statements are not allowed.') + + def visitClass(self, node, walker): + """Checks the name of a class using checkName(). + + Should classes be allowed at all? They don't cause security + issues, but they aren't very useful either since untrusted + code can't assign instance attributes. + """ + self.checkName(node, node.name) + return walker.defaultVisitNode(node) + + def visitModule(self, node, walker): + """Adds prep code at module scope. + + Zope doesn't make use of this. The body of Python scripts is + always at function scope. + """ + node = walker.defaultVisitNode(node) + self.prepBody(node.node.nodes) + return node + + def visitAugAssign(self, node, walker): + """Makes a note that augmented assignment is in use. + + Note that although augmented assignment of attributes and + subscripts is disallowed, augmented assignment of names (such + as 'n += 1') is allowed. + + This could be a problem if untrusted code got access to a + mutable database object that supports augmented assignment. + """ + node.node.in_aug_assign = True + return walker.defaultVisitNode(node) + + def visitImport(self, node, walker): + """Checks names imported using checkName().""" + for name, asname in node.names: + self.checkName(node, name) + if asname: + self.checkName(node, asname) + return node + diff --git a/lib/kross/python/scripts/RestrictedPython/SelectCompiler.py b/lib/kross/python/scripts/RestrictedPython/SelectCompiler.py new file mode 100644 index 00000000..5f9da698 --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/SelectCompiler.py @@ -0,0 +1,28 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## +"""Compiler selector. + +$Id: SelectCompiler.py 24763 2004-05-17 05:59:28Z philikon $ +""" + +# Use the compiler from the standard library. +import compiler +from compiler import ast +from compiler.transformer import parse +from compiler.consts import OP_ASSIGN, OP_DELETE, OP_APPLY + +from RCompile import \ + compile_restricted, \ + compile_restricted_function, \ + compile_restricted_exec, \ + compile_restricted_eval diff --git a/lib/kross/python/scripts/RestrictedPython/Utilities.py b/lib/kross/python/scripts/RestrictedPython/Utilities.py new file mode 100644 index 00000000..87eef69b --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/Utilities.py @@ -0,0 +1,77 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## + +__version__='$Revision: 1.7 $'[11:-2] + +import string, math, random +import DocumentTemplate.sequence + +utility_builtins = {} + +utility_builtins['string'] = string +utility_builtins['math'] = math +utility_builtins['random'] = random +utility_builtins['whrandom'] = random +utility_builtins['sequence'] = DocumentTemplate.sequence + +try: + import DateTime + utility_builtins['DateTime']= DateTime.DateTime +except: pass + +def same_type(arg1, *args): + '''Compares the class or type of two or more objects.''' + t = getattr(arg1, '__class__', type(arg1)) + for arg in args: + if getattr(arg, '__class__', type(arg)) is not t: + return 0 + return 1 +utility_builtins['same_type'] = same_type + +def test(*args): + l=len(args) + for i in range(1, l, 2): + if args[i-1]: return args[i] + + if l%2: return args[-1] +utility_builtins['test'] = test + +def reorder(s, with=None, without=()): + # s, with, and without are sequences treated as sets. + # The result is subtract(intersect(s, with), without), + # unless with is None, in which case it is subtract(s, without). + if with is None: with=s + d={} + tt=type(()) + for i in s: + if type(i) is tt and len(i)==2: k, v = i + else: k= v = i + d[k]=v + r=[] + a=r.append + h=d.has_key + + for i in without: + if type(i) is tt and len(i)==2: k, v = i + else: k= v = i + if h(k): del d[k] + + for i in with: + if type(i) is tt and len(i)==2: k, v = i + else: k= v = i + if h(k): + a((k,d[k])) + del d[k] + + return r +utility_builtins['reorder'] = reorder diff --git a/lib/kross/python/scripts/RestrictedPython/__init__.py b/lib/kross/python/scripts/RestrictedPython/__init__.py new file mode 100644 index 00000000..0c70947e --- /dev/null +++ b/lib/kross/python/scripts/RestrictedPython/__init__.py @@ -0,0 +1,19 @@ +############################################################################## +# +# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved. +# +# This software is subject to the provisions of the Zope Public License, +# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution. +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED +# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS +# FOR A PARTICULAR PURPOSE +# +############################################################################## +''' +RestrictedPython package. +$Id: __init__.py 24763 2004-05-17 05:59:28Z philikon $ +''' + +from SelectCompiler import * +from PrintCollector import PrintCollector |