FilipDominec
commented
4 years ago It may turn out to be an illusion, but maybe I just got a simple 6-line sandboxing solution for pure Cpython 3.8.0+. No virtualization, no extra dependencies nor manual code preprocessing, negligible performance impact, and only minor functionality limitation.
One should thoroughly test it to call it secure against malicious attacks. But it is pretty safe against shooting one's leg and e.g. overwriting important files. The only trouble is that it requires rather new version of the interpreter.
Currently, the program searches for the file
plotrc_*.pyin the directory of the loaded file; if found, it is automaticallyevaluated to pre-process the data and/or change the plotting style. It is supposed that files that once exist on your local hard drive should not be a vector of attack, but currentlyevalcan also access all your data which is somewhat dangerous.https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html