Closed Rossco8 closed 3 years ago
Rossco8 wrote at 2021-5-24 18:58 -0700:
Hi, I am not understanding the documentation for enablimg some imports.
One of the main users of RestrictedPython
is Zope
.
It configures RestrictedPython
via the package AccessControl
(--> PyPI).
You can always look there for examples.
In particular, AccessControl
puts a function
garded_import
as __import__
into safe_builtins
to
support and control imports.
Thanks @d-maurer but I'm still not sure of the correct usage. I have had a look through AccessControl package and did not find the example I was hoping for. I can see that by providing the safe_builtins
argument to the exec() method that my import is now working, however it is also allowing import sys, os
- Shouldn't they be blocked?
Are you able to provide small code snippet of the correct way to setup RestrictedPython to allow some whitelisted imports, but not the unsafe ones?
Rossco8 wrote at 2021-5-25 16:18 -0700:
Thanks @d-maurer but I'm still not sure of the correct usage. I have had a look through AccessControl package and did not find the example I was hoping for. I can see that by providing the
safe_builtins
argument to the exec() method that my import is now working, however it is also allowingimport sys, os
- Shouldn't they be blocked?Are you able to provide small code snippets of the correct way to setup RestrictedPython to allow some whitelisted imports, but not the unsafe ones?
I am not willing to solve your concrete problem; that, you must do yourself.
To allow for imports, you must define __import__
in safe_builtins
.
Which imports are allowed (or not) is decided by the (function) value
you give __import__
.
In AccessControl
, guarded_import
is used as value for __import__
.
It uses validate
to check whether an import is acceptable.
AccessControl
's validate
delegates to a security manager
(which interprets security declarations). Obviously, for
your problem, you could implement a validate
variant which
implements your import policy, i.e. says ok or no for
precisely those imports you want to allow or deny.
Note that your validate
may have a simpler signature
and that from M import N
should be allowed if (and only if)
import M
and M.N
are both allowed.
Thanks, Defining import in safe_builtins was the missing piece, it is working now
Hi, I am not understanding the documentation for enablimg some imports. As a simple example, I want to allow the source code to import a global variable, e.g
This is my sample code
and the mycode.py
the
exec()
method is failing with__import__ not found
How can I allow some imports?