Mileage with safe

simon.proctor has asked for the wisdom of the Perl Monks concerning the following question:

I'm writing a content delivery system based on the Template Toolkit but with additional functionality added for configuration etc.

One feature that I am working on is to allow plugins to modify the program data as I move from one stage of the application to the next. This is in its early stages and I intend to make this as safe as possible by controlling program access as much as possible.

Currently, I am using 'require' and then 'import' to dynamically load my module and then run three predefined object methods. This is done within an eval block but I feel a little uncomfortable about that (as you can imagine :P). <bt>
Using 'safe' seems to be the answer to my problems as I can expose a single API object to the plugin compartment and control access (unless someone has a better idea?) but not having used it before I was wanting some advice.

Heres the current code where I'm using 'eval':

# --------------------------------------------------------
# Build the environment var. for the plugins
# --------------------------------------------------------

my $environment = {
    'parser_conf'    =>    $conf,
    'vars_conf'        =>    $vars
};

# Stage, environment hash, config object
runPlugin('2',$environment,$plugin_config);
[download]

# ---------------------------------------------------------
# runPlugin
# ~~~~~~~~~
# Runs a plugin at a given stage of the content engine 
# phase. Expects the stage,
# the environment and the plugin configuration as 
# parameters.
# ---------------------------------------------------------

sub runPlugin
{
    my $setting = shift;
    my $environment = shift;
    my $plugin_config = shift;
    
    return unless defined $setting;
    return unless defined $environment;
    return unless defined $plugin_config;

    if(defined($plugin_config->setting($setting)))
    {
        # We have a winner
        my $module = $plugin_config->setting($setting);
        $module =~ s/\.(pm|PM)$//;
        eval{
            # Import - create object - run code
            my $mainmodule = "Plugins/Core/" .$module . ".pm";

            require $mainmodule; 
            import $mainmodule;

            my $obj = $module->new();
            $obj->run(
                $environment
            );
        
            $obj->closedown();
        };
        if($@)
        {
        # Log this or something         
        }
    }
}
[download]

Thanks!

Comment on Mileage with safe Select or Download Code

Replies are listed 'Best First'.
Re: Mileage with safe by mortis (Pilgrim) on Dec 11, 2001 at 20:26 UTC
Are you just trying to make sure that errors in the plugin don't cause your code to die? Which eval is great for. Or are you trying to restrict the plugin to only be able to perform a (very) limited amount of actions? Which Safe.pm should be great for. If all you're trying to do is keep the plugin's errors from aborting your code, but still want it to be able to do anything that the rest of the codebase does, then eval is probably the best choice. Just log $@ after the eval so the plugin authors have a way of tracking down their errors.	[reply]
Re: Re: Mileage with safe by simon.proctor (Vicar) on Dec 11, 2001 at 20:43 UTC
I want to build a sandbox environment for the plugins but where they can only play with the toys I give them :). Eval allows any and all code to be executed (provided its valid Perl of course) but Safe appears not to. I intend to follow the standard approach of 'what is not permitted is automatically denied'. I agree that Safe is the answer hence my original question. I have already started to lock down the environment to prevent clobbering by using 'tie' to control access to the hash. I have done this by appropriate use of STORE() and caller(). Now that I have had longer to think about it and try some code out, my wants list for features is something like: 1. Allow controlled access to the environment (WIP) 2. Remove access to anything dangerous (well... as much as possible at least) 3. Providing as much API code as possible to make the developers life easier :P 4. Allow plugins to be chained (etc etc etc). If I can get this framework right then hopefully I can reapply it to many of my other projects too. Not just a content management system.	[reply]
Re: Mileage with safe by gildir (Pilgrim) on Dec 11, 2001 at 20:35 UTC
Have a look at 'perldoc Safe' for basic advice. The documentation is quite good. Also look at Safe module security and emebeded perl and Perl sandbox for some advanced topics. Safe module works quite good for me. I limit posibilities of perl code embeded in XML templates with Safe, and I'm happy with it. As soon as you find the proper set of opcodes to allow, it works fine.	[reply]
Safe.pm is not safe by ask (Pilgrim) on Dec 12, 2001 at 13:35 UTC
Please keep in mind that Safe.pm is not safe. By returning the right values from the safe compartment it's quite possibly to "break out" of it. If I recall correctly it requires that the main program uses the return value; but the Safe compartment wouldn't be much use without returning anything, huh? Someone with more clue than me can probably provide more insight, but I didn't see this brought up in any of the earlier Safe.pm discussions so I thought I would mention it. - ask -- ask bjoern hansen, http://ask.netcetera.dk/ !try; do();	[reply]


Don't ask to ask, just ask
	PerlMonks