Using RestrictedPython

[Rasjid Wilcox]

Hi,

I found references on Google to a discussion a little while ago about using
RestrictedPython instead of rexec and Bastion. But I've had trouble
finding documentation.

Below is my test program. Am I doing this the right way?

- - - -
#!/usr/bin/env python

from RestrictedPython import compile_restricted

def g(x):
return "Function g(x)"

fn = '''
def f(x):
return "x: " + str(x) + " x^2: " + str(x*x)

'''

fn2 = '''
def h(x):
f = open('test-out.txt', 'w')
f.write(x)
f.close()
s = 'Just wrote to a file'
return s
'''

exp = 'str(f(3))'

cofn = compile_restricted(fn, '<string> ', 'exec')
exec(cofn)
coexp = compile_restricted(exp, '<string>', 'eval')
print "Restricted eval: " + str(eval(coexp))

f = g
print "Restricted eval: " + str(eval(coexp))

exec(fn2)
print "Native exec: " + str(h("Native exec\n"))

h = None
#cofn2 = compile(fn2, '<string>', 'exec')
cofn2 = compile_restricted(fn2, '<string>', 'exec')
exec(cofn2)
try:
print h("Restricted exec\n")
except:
print "Can't run restricted code?"

- - - -

I know it runs and it seems to do what I expect, but is it 'right'?

Thanks,

Rasjid.

 

[Evan Simpson]

Below is my test program. Am I doing this the right way?

Well, you've got the basics of compiling and executing the compiled
code. What you need to understand about RestrictedPython, though, is
that while it provides the raw material for restricted execution, you
need to supply a policy implementation. You hook up your implementation
by providing a set of specially named objects in the global dict that
you use for execution of code. Specifically:

1. "_print_" is a callable object that returns a handler for print
statements. This handler must have a 'write()' method that accepts a
single string argument, and must return a string when called. The
PrintCollector module has an implementation.

2. "_write_" is a guard function taking a single argument. If the
object passed to it may be written to, it should be returned, otherwise
the guard function should raise an exception.

3. "_getattr_" and "_getitem_" are guard functions, each of which takes
two arguments. The first is the base object to be accessed, while the
second is the attribute name or item index that will be read. The guard
function should return the attribute or subitem, or raise an exception.

4. "__import__" is the normal Python import hook, and should be used to
control access to Python packages and modules.

5. "__builtins__" is the normal Python builtins dictionary, which should
be weeded down to a set that cannot be used to get around your
restrictions. A usable "safe" set is in the Guards module.

To help illustrate how this works under the covers, here's an example
function along with (sort of) how it looks after restricted compilation:

def f(x):
x.foo = x.foo + x[0]
print x
return printed

def f(x):
# Make local variables from globals.
_print = _print_()
_write = _write_
_getattr = _getattr_
_getitem = _getitem_
#
_write(x).foo = _getattr(x, 'foo') + _getitem(x, 0)
print >>_print, x
return _print()

Cheers,

Evan @ 4-am