Sandboxing goby - Githubissues

goby-lang / goby

Goby - Yet another programming language written in Go

MIT License

3.49k stars 171 forks source link

Sandboxing goby #401

Closed mfzl closed 7 years ago

mfzl commented 7 years ago

I would like to use Goby within a Go application as a scripting language for a rule engine. Is it possible to sandbox Goby interpreter i.e disabling some libraries and functions.

Is this possible?

ear7h commented 7 years ago

Yes it is possible, goby is a go package (go get and import -able). You can look at the goby.go file which initializes a single Goby interpreter. Particularly the block of code starting on line 59

// file is a byte array of the file to be run
instructionSets, err := compiler.CompileToInstructions(string(file), parser.NormalMode)

if err != nil {
    fmt.Println(err.Error())
    return
}

v, err := vm.New(dir, args)

if err != nil {
    fmt.Println(err.Error())
    return
}
// here the fp parameter is the relative location of the file, which we want to be absolute
fp, err := filepath.Abs(fp)

if err != nil {
    fmt.Println(err.Error())
    return
}

// this will execute the compiled code with the working directory specified by fp
v.ExecInstructions(instructionSets, fp)

ear7h commented 7 years ago

cc @st0012 if you have anything to add

mfzl commented 7 years ago

Thanks, that answers one part of the question. The other part is restricting what goby programs can do or sandboxing as a security measure. I'm assuming goby can call syscalls package and others. I want to restrict that, is that possible?

st0012 commented 7 years ago

@faxal Currently we haven't have any library that lets you to call syscalls yet, so you don't need to restrict it 😅

mfzl commented 7 years ago

:smile: That is good to know. Maybe it'll be a good idea to have that option (restricting which libraries can be used by the program) if and when you do.

Thanks

st0012 commented 7 years ago

@faxal You mean users can't even require restricted library in the program?

mfzl commented 7 years ago

I'm worried about ensuring the security in system script is being run. If users can never affect the running system, then it is not required.

For a hypothetical example assuming goby can open files, I don't want the scripts to be able open files in /etc or fork, exec another program, such and such.

Maybe I'm thinking outside the scope of goby

What I anticipated was that I would initiate the goby vm, load some script from database and pass the Go objects from the Go program and execute the script. It will not have access to anything else, other than the objects and context provided by the Host go program.

mfzl commented 7 years ago

For a more constructive example, this is how zygomys does it:

https://github.com/glycerine/zygomys/blob/52f09326840ffc609f102ede2f51e458ed58af5e/repl/environment.go#L64

It white lists all safe functions and uses them in sandbox mode.

st0012 commented 7 years ago

@faxal Thanks for the information! I never thought about this before, but now we'll discuss about this issue in the future. BTW you can join our slack and have discussion with us.

mfzl commented 7 years ago

:pray: Thanks