raintpl3 icon indicating copy to clipboard operation
raintpl3 copied to clipboard

Published 20 hours ago verified publisher icon feulf

A great sandbox idea

Open keskad opened this issue 11 years ago • 16 comments

Hello.

I just got a brilliant idea in my head, so I must write it here.

It's possible to parse PHP code after compilation (using PHP's tokenizer) and check for unwanted functions.

Example usage of tokenizer to get all defined classes in php file: https://github.com/webnull/panthera/blob/master/lib/modules/autoloader.tools.module.php#L86

To get a hermetic sandbox there can be dynamic function names disallowed (eg. $name('test')).

What do you think about it? This can be implemented as a plugin that parses PHP file right after compilation.

There is nothing to implement to the parser :)

keskad avatar Sep 01 '13 16:09 keskad

this is the best idea to realize the sandbox, with tokenizer we may be able to create also a white list that disable all functions except the one listed in the white list.

Keep me posted.

feulf avatar Sep 03 '13 23:09 feulf

In free time I will try to code something. If this would be implemented where to put the code? In plugin or merge it with RainTPL code?

keskad avatar Sep 04 '13 09:09 keskad

Good question, I think is fine either embedded or as a plugin, as long as the code is well structured and organized in separated files and as long as it is possible to easily enable/disable it.

On Wed, Sep 4, 2013 at 11:26 AM, Damian Kęska [email protected]:

In free time I will try to code something. If this would be implemented where to put the code? In plugin or merge it with RainTPL code?

— Reply to this email directly or view it on GitHubhttps://github.com/rainphp/raintpl3/issues/115#issuecomment-23776495 .

feulf avatar Sep 04 '13 09:09 feulf

I tried something with the Tokenizer but I was unable to get T_VARIABLE token - I don't know why it wasn't parsed (maybe a PHP's tokenizer bug?)

https://gist.github.com/webnull/6435312

I found out that there is also a good project called php-sandbox, so the RainTPL plugin could use it to provide a good sandbox.

keskad avatar Sep 04 '13 10:09 keskad

as far as I know the php-sandbox is a real time sandbox, so that solution could be really slow and not ideal to be used in RainTPL.

I think the tokenizer is the right way to go!

On Wed, Sep 4, 2013 at 6:37 AM, Damian Kęska [email protected]:

I tried something with the Tokenizer but I was unable to get T_VARIABLE token - I don't know why it wasn't parsed (maybe a PHP's tokenizer bug?)

https://gist.github.com/webnull/6435312

I found out that there is also a good project called php-sandboxhttps://github.com/fieryprophet/php-sandbox, so the RainTPL plugin could use it to provide a good sandbox.

— Reply to this email directly or view it on GitHubhttps://github.com/rainphp/raintpl3/issues/115#issuecomment-23780045 .

feulf avatar Sep 04 '13 11:09 feulf

But it can be used once. I think it will be even a better solution.

keskad avatar Sep 04 '13 12:09 keskad

Sure, but why do you think is better?

From my iPhone

On Sep 4, 2013, at 8:47 AM, Damian Kęska [email protected] wrote:

But it can be used once. I think it will be even a better solution.

— Reply to this email directly or view it on GitHub.

feulf avatar Sep 04 '13 13:09 feulf

Because i tried Tokenizer but I can't get expected result.

I just got list of functions from:

<?php aaaa('test'); bbb  ('cccc'); ?>

But it failed on parsing string like $aaa('bbbb'), maybe it's a PHP bug? It was unable to find T_VARIABLE token, so the code was impossible to secure.

keskad avatar Sep 04 '13 13:09 keskad

php-sandbox project has already all features and is starred about 800+ times, maybe it's really good solution for PHP sandbox we may use.

keskad avatar Sep 04 '13 13:09 keskad

sure that's worth a try

On Wed, Sep 4, 2013 at 9:50 AM, Damian Kęska [email protected]:

php-sandbox project has already all features and is starred about 800+ times, maybe it's really good solution for PHP sandbox we may use.

— Reply to this email directly or view it on GitHubhttps://github.com/rainphp/raintpl3/issues/115#issuecomment-23790265 .

feulf avatar Sep 05 '13 11:09 feulf

Mistake - php-sandbox is starred ~60 times. There is also a PHP parser written in PHP: https://github.com/nikic/PHP-Parser

This two projects looks really nice and easy to use.

keskad avatar Sep 05 '13 14:09 keskad

Cool, keep me updated with your experiments.

p.s. Nikita Popov is a great PHP core developer, his blog posts are great.

On Thu, Sep 5, 2013 at 10:06 AM, Damian Kęska [email protected]:

Mistake - php-sandbox is starred ~60 times. There is also a PHP parser written in PHP: https://github.com/nikic/PHP-Parser

This two projects looks really nice and easy to use.

— Reply to this email directly or view it on GitHubhttps://github.com/rainphp/raintpl3/issues/115#issuecomment-23869863 .

feulf avatar Sep 05 '13 14:09 feulf

I have planned to replace current sandboxing with a plugin that will use PHP parser on RainTPL Next Generation. This could be easy to implement.

keskad avatar Apr 23 '15 14:04 keskad

Sure, whatever makes sense. I'd personally check on packager if exists already a package that does that for you.

On Thu, Apr 23, 2015 at 10:16 AM, Damian [email protected] wrote:

I have planned to replace current sandboxing with a plugin that will use PHP parser on RainTPL Next Generation. This could be easy to implement.

— Reply to this email directly or view it on GitHub https://github.com/rainphp/raintpl3/issues/115#issuecomment-95601282.

feulf avatar Apr 24 '15 03:04 feulf

Yeah, I'm still talking about https://github.com/nikic/PHP-Parser

keskad avatar Apr 24 '15 17:04 keskad

Partialy implemented in https://github.com/Panthera-Framework/raintpl3/commit/8bedcde688851d4658816ebe70c1e5a3a0975dc8

Requires a better whitelist + support for static includes (and detecting dynamic includes to ban them)

keskad avatar Apr 24 '15 21:04 keskad