Closed MichaelBrueggemann closed 8 months ago
A very simple solution would be to add this code to run_udf()
:
# check, if udf string contains forbidden keywords
forbidden_keywords = c("system", "Sys.", "processx")
if (any(sapply(forbidden_keywords, grepl, udf)))
{
message("Forbidden keyword used!")
stop()
}
@MichaelBrueggemann , nice suggestion. kindly create a branch of the current repo and update the UDF function then send a pull request.
@MichaelBrueggemann , Taken care of.
@mikemahoney218 has come up with a nice solution for a similar problem in {rsi}
including a whitelist instead of a blacklist which should be much safer. Maybe this can be expandable by users via an option?
@goergen95 , Thanks for pointing out this alternative. I'll refactor with that approach.
@PondiB
URGENT ISSUE !!!
In the current implementation, the Process "run_udf" takes an arbitrary string with a user-defined-function. This String isn't checked but rather is directly parsed into an expression by
base::parse()
and is then directly evaluated withbase::eval()
.This is a significant safety hazard for the operating system currently running an istance of "openeocubes". With this process ones could not only provide functions as intended by openEO but can also run any R-Code. In the following example i have created an UDF that uses
base::system()
to execute a shell command by the operating system. With this i was able to create a C-Program and also compile and execute this. This could be an potential entrypoint for Malware and other people with questionable intend (clone a git repo with malware code and execute it).I recommend implementing some kind of safety, as to restrict the kind of R-functions that could be passed (e.g. forbid the use of
system()
and other similar functions) or rather remove this functionately entirely, until this issue is resolved.Example Code:
I recommend trying this with a local instance of openeocubes (with
startLocal.R
) and see the issue for yourself