I want to do a dynamic-require
of a 'info
submodule of an arbitrary (say adversarial) file, with as little capabilities as possible (security guards, but also no putenv
, no system
/process
, etc.). Ideally I would like to check/ensure that the submodule uses a particular language such as (something like) setup/infotab
. Is that possible?
Currently, I’m just setting a security-guard
, so no file/network access, but that’s not enough.
Is it possible that the enclosing module (of the info submodule) may execute some code when dynamic-require
-ing the submodule, say via macros, or if the submodule happens to reverse the dependencies (module*
)?
IIUC, the example for language-info
is not secure enough: > (dynamic-require ’racket/dict (void)) > (module->language-info ’racket/dict) since the dynamic-require may perform expansion, is that correct? Is there a way to declare
the submodule without visiting it at all (nor its enclosing module)?
oh, maybe I can use an uninterned symbol for the submodule name? This way, the only way to create the submodule is with forms I provide myself, and I can make sure the language of the submodule is the one I want
(This only solves half of my use cases though, but it would be a start)
At the same time the enclosing module is going to be compiled anyway, so I guess it’s hopeless, unless there’s a clear compilation separation of modules and submodules (which is not the case, IIRC)
https://github.com/racket/racket/blob/448b77a6629c68659e1360fbe9f9e1ecea078f9c/racket/collects/setup/getinfo.rkt\|setup/get-info goes to great lengths to great lengths to reduce capabilities, but for packages (at least) the package is raco setup
upon installation which means that arbitrary code can still be executed (including file writes). Would it make sense to reduce by default package capabilities on setup, and ask the user when a write attempt or network access attempt is made? Possibly adding a --allow-all
flag to raco setup
for trusted sources?
Looks like https://www.cs.utah.edu/ is currently refusing connections.
There was a power outage, back up now.
I’m not sure I follow. It seems like you’ve discovered the get-info
function from setup/get-info
. Is it because you want a different language instead of #lang info
?
This sounds difficult. The pkg-build system deals with code it doesn’t trust by isolating it in a Docker container with network access disabled, etc.
Meanwhile, we have a long-running experiment with sandboxing in the form of racket/sandbox
, and over time we’ve mostly learned just how difficult it is to lock things down without resorting to OS help.
No, that’s not it. yielding (via sleep/yield
or other things) handles events on the same thread that called the sleep and then it returns, leaving you in the same dynamic/control context you were in before. And queue-callback
and friends will put an event to be handled at the end of the queue. Probably both options can be used to solve the problem at hand, but I find the sleep version to be harder to get right somehow. One thought to give a sense of what’s complex about it: imagine that one of the events that got handled was something that opened a new frame and now the one that you are trying to get the focus to is frontmost anymore? I forget if non-frontmost frames can or cannot have focus but this isn’t really about that specifically; just pointing out that a lot of things might change and there may be some invariant that gets forgotten because of the sleep — of course this can all happen in similar ways with queue-callback
too.
@bran.van.der.meer has joined the channel
get-info
does not work on submodules afaict, since it checks that the file contents match a special grammar. Also, I do want a different language, but I think I could do with #lang info
if I could use it. The main problem is that the 'info
submodule is generated by the enclosing module, so the latter must be expanded. It may be possible to set security guards during this process, but there are still accesses to environment variables and whatnot
I meant: During the raco setup
phase of raco pkg install some-untrusted-package
, can’t we set security guards on file system write/execute and network access by default? To automate things, the info.rkt
file could contain a (define request-access '(filesystem network))
to deactivate the security guards, possibly after notifying and asking the user if it’s okay?
Ah, I missed the “submodule” part. It’s definitely not set up to get info from a submodule. Because compiling a module may involve loading other modules, and because untrustworthy compiled code might get involved there, dealing with submodules in untrusted code seems outside of Racket’s reach.
The important question is whether DrRacket shows the code the way it’s executed
I think the answer is that DrRacket does not respect the bidirectional marks
Right, although that’s relying on a bug remaining unfixed forever :slightly_smiling_face:
I see, thanks. So is there a way to prevent write access to environment variables and most importantly calls to system
and process
similarly to security guards?
Right, I think we should adopt the rust approach of rejecting non-escape versions of those characters in the reader
Yes, that sounds saner to me indeed.
Yes, system
and process
are guarded by the security guard ('execute
on a file). For environment variables, set current-environment-variables
to a fresh copy.
with ppict
/pslide
, how do I place an image in the true bottom-left of the scene? this is #:go (coord 0 1 'lb)
(the pencils)
ah, fantastic, thanks!
(dynamic-require a-submod #f)
raises an exception when the submodule a-submod
does not exist. Is there a better way to check for the existence of the submodule than handling the exception?
Thanks. It says that the module must be declared, doesn’t this mean I still need to call dynamic-require
beforehand?
Looks like it does require it to be called beforehand: > (define f (make-temporary-file))
> (write-to-file `(module mymod racket/base
(module mysubmod racket/base (displayln "hey!")))
f #:exists 'replace)
> (module-declared? `(submod (file ,(path->string f)) mysubmod))
#f
> (dynamic-require `(submod (file ,(path->string f)) mysubmod) (void))
> (module-declared? `(submod (file ,(path->string f)) mysubmod))
#t
Thanks I’ll take a look
I have no idea, but in case nothing works, another possibility may be to crop the scene afterwards (and maybe increase beforehand)
I ended up just using negative coordinates
heh :slightly_smiling_face:
In my experience the necessary/sufficient bits of that example are: 1. Use namespace-require
on the outer module (the module path corresponding to the .rkt
file). 2. Use module-declared?
on the module path for the submodule within. 3. If you just wanted to test its existence, you’re done. Or you can go ahead and dynamic-require
the submodule now.
In addition to that example wrt to main
, this is basically what things like DrRacket and Racket Mode do for any list of submodules to run automatically, like main
and/or test
etc.
Probably (coord 0 1 'lb #:abs-x (- margin) #:abs-y margin)
Thanks greg.
<https://benknoble.github.io/blog/2021/10/27/boggle/> Also submitted for racket news inclusion
Done! Couldn’t make the “Sign in with GitHub” work, but I created an account, so no worries.
The idea is that you make a regular user first. Then you can link your github account to the user. The next time, you can login directly with github.
But it isn’t exactly clear from the text on the site.
Yea I missed that, so I managed to authorize the GH app before I had an account, and now that I have one it’s not working to link them I think.
Oh…
FWIW you are not listed in the database as a github user. Maybe just delete the racket-stories cookie? (Or try logging in from an incognito window)
Neither worked. If I have time later I’ll try deleting the OAuth from my GH account before attempting to reconnect.
Those pencils are gorgeous.
I needed a logo for Graphite so that’s the closest thing I could come up with
Sawzall’s “logo” in this talk is a literal reciprocating saw so
That is a fancy looking slide :slightly_smiling_face:
Hi checked the database and couldn’t see anything. In an attempt to change something - I deleted the sessions associated to your cookies. Don’t know if that helps at all.
@mflatt braces don’t seem to work to create a Map. Am I missing anything?
Here’s an error:
braces: misplaced expression;
no infix operator is between this expression and the previous one,
and `#%set` is not bound as an implicit prefix expression operator
Are you running the implementation in the racket-brainstorming
repo or the shrubbery-rhombus-0
package?
racket-brainstorming
I haven’t kept that up-to-date, but I should. Meanwhile, the <https://github.com/mflatt/shrubbery-rhombus-0>
package should work.
Ah, got it. Thanks!