[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [pygame] Python bots in Galcon (or your game!) safe_eval

Quick update here:

- I've moved this code into a svn repository:
I've stripped the tests and notes and other misc. junk out of safe.py and put them in separate files so that safe.py is nice and small and easy to look at.

Since my initial mention here, a number of notable bugs have been caught
- removing type() - the biggest
- catching unicode __'s
- lots of inner-reworking with better understanding of how python handles exec
- more and more tests

My current biggest concern is the _BUILTIN_OK list.  If you look below it, I have a copy of the same from Zope.  They don't include some items that I do include - such as "filter" and "slice" and "object".  Anyone know if those functions can be used for naughty activities?  Or why Zope excludes them?

Thanks for all the help!

Phil Hassey <philhassey@xxxxxxxxx> wrote:

I spent some time today working on building a safe_eval function that would make it "safe" to run user submitted bots in games (Galcon, being that game ;)


The file includes links to a number of references on the topic, and why likely this won't work.  Anyway - I know a lot of you wanted to make bots for Galcon, so that's why I'm trying to put this together.  So if anyone can find security holes in my implementation, it would be a huge help - the more I find and get patched the more likely I am to actually release Galcon with ability for bot-plugins.

The known limitations at the top are things that I don't really want to fix - they are just limitations.  :)  I'm mainly interested in limiting what a bot can access (say other parts of the game code) and keeping them from using builtins like files, etc.

The two things I do in this script are:
- Step through the AST tree and reject scripts that use any non-whitelisted node types.  A lot of python features are dropped, but enough are kept for building decent bots (the main bot from Galcon is "ok" as far as safe.py is concerned.)  I pretty much reject anything that falls into the magic category - generators, imports, execs, exceptions, etc...
- Replace non-whitelisted builtins with a function that raises an exception "you used a bad builtin!", runs "exec code in context" and then restores all the builtins.

Anyway, feel free to poke around the code.  I think a working safe_eval would be a huge asset for games developed in python that want to have user submitted mods / bots.


It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.

8:00? 8:25? 8:40? Find a flick in no time
with theYahoo! Search movie showtime shortcut.