All geek questions in one place

PHP sandbox / sanitize code passed to create_function

I use create_function to run some user code on the server. I am looking for any of these two:

  • Is there a way to misinform the code passed to him in order to prevent something harmful from executing?
  • Alternatively, is there a way to indicate that this code will be run in an isolated environment so that the user cannot play with anything else.

Thanks!

+2
source share
8 answers

You can use the tonkenizer to find out what the code will do, and then whitelist certain functions and operations. I think that ultimately it will be very difficult (or impossible) to make it reliable, especially considering the flexibility of PHP:

$f = "shell_exec"; $arg = 'rm -rf /'; $f($arg); // ouch call_user_func($f, $arg); // ouch eval("$f('$arg');"); // ouch $newF = create_user_function('', "$f('$arg');"); $newF(); // ouch

The only kind of sandbox that will give you 100% protection (well, 99.9% ...) is a virtual machine, which you can just throw away later.

+3
source

We use a tokenizer to analyze the code statically, as well as to change the code to perform runtime checks for certain things. This is done with the help of a tokenizer and scripts based on a tokenizer. Since the tokenizer is the same that PHP uses, it improves your luck in writing your own.

I have seen people who use regular expressions to try to parse a language. This is a really bad idea.

But...

Since PHP is a rather stupid-simple grammar, and you have access to the tokenizer, you can actually stop most of the bad state by discarding variable functions and allowing only a small number of white functions. If you don't need OOP, even better.

However, we do not feel confident enough that we have nailed 100% of the problems, and we use this to power the sandbox for backend users who pay customers, and not every user on planet Earth, using the keyboard and, possibly, anger.

I also think that people who poo-poo the idea of ​​100% as "bad practice" should get the key. There are reasons for this.

+3
source

You cannot reliably sanitize user input - a particular hacker will find some obscure way to get around your sanitation code.

A sandbox may be possible, but equally harmful. If you really want to be safe, you must create a sandbox for each call. In the end, someone can execute dummy code that is harmful to all other users of your sandbox.

I don’t think you really want that. Think of it this way: you provide programmatic access to the server!

+2
source

You can try using Quercus, a Java-based PHP interpreter, to create a secure PHP sandbox. You can do the same for JavaScript using Rhino, so I think it's possible with Quercus.

+2
source

You might consider creating a custom (ized) language that your users can use. Then you need to create a library of supported functions, which may well be just a shell of your own PHP functions. But even then, making it hacked or just working, at best it is a tedious job. Perhaps you should overestimate why you want users to have access to the code in the first place? I would like to help if you need someone to discuss this with (or update your question, I think? :)

Hope you can fix it!

-Dave

+1
source

This is a class on GitHub that might help in the early stages, but looks promising.

https://github.com/fregster/PHPSandbox

+1
source

A common bad idea and too dangerous IMO, no matter what protection you put in place. It’s better to create a pseudo-language limited to what users allow.

0
source

Source: https://habr.com/ru/post/1369539/

More articles:


All Articles