[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [pygame] Python bots in Galcon (or your game!) safe_eval

Excellent work Phil, a subject close to my own heart/brain.


Quoting Phil Hassey <philhassey@xxxxxxxxx>:

> Hey,
> I spent some time today working on building a safe_eval function that would
> make it "safe" to run user submitted bots in games (Galcon, being that game
> ;)
> http://www.imitationpickles.org/tmp/safe.py
> The file includes links to a number of references on the topic, and why
> likely this won't work.  Anyway - I know a lot of you wanted to make bots for
> Galcon, so that's why I'm trying to put this together.  So if anyone can find
> security holes in my implementation, it would be a huge help - the more I
> find and get patched the more likely I am to actually release Galcon with
> ability for bot-plugins.
> The known limitations at the top are things that I don't really want to fix -
> they are just limitations.  :)  I'm mainly interested in limiting what a bot
> can access (say other parts of the game code) and keeping them from using
> builtins like files, etc.
> The two things I do in this script are:
> - Step through the AST tree and reject scripts that use any non-whitelisted
> node types.  A lot of python features are dropped, but enough are kept for
> building decent bots (the main bot from Galcon is "ok" as far as safe.py is
> concerned.)  I pretty much reject anything that falls into the magic category
> - generators, imports, execs, exceptions, etc...
> - Replace non-whitelisted builtins with a function that raises an exception
> "you used a bad builtin!", runs "exec code in context" and then restores all
> the builtins.
> Anyway, feel free to poke around the code.  I think a working safe_eval would
> be a huge asset for games developed in python that want to have user
> submitted mods / bots.
> Thanks!
> Phil
> ---------------------------------
> It's here! Your new message!
> Get new email alerts with the free Yahoo! Toolbar.

Come and visit Web Prophets Website at http://www.webprophets.net.au