Generating the Python code on the server side

[Pāvils Jurjāns]

I have a idea about project where the script that is built with Blockly is then stored on the server and executed on the server side, as an automatic routine procedure.

For obvious security reasons, that code must be tightly controlled, contain only the allowed API calls.

Therefore, I don't feel its acceptable to let the client side generate the Python code, and then send it as a string over to the server where it is later executed. A malicious user could inject his malicious code and break the server.

I am thinking about sending over to the server only the xml represenation of the blocks (Blockly.Xml.workspaceToDom(workspace)), and build the code on the server side.

Is there any way how to carry out the code generation on the server side? I believe one could use Node.js to execute the properly adjusted Blockly core code, but I was hoping to get through without involving Node.js layer to my project.

[Blake]

I think any way you slice it you have to involve some piece of server-side software that executes Javascript. Neil was gracious enough to decouple the rendering of Blocklys interface from the code generators to enable headless code generation.

If you want to just execute the users Javascript code in the browser safely Neil has a project which is pretty amazing:

https://developers.google.com/blockly/installation/js-interpreter?hl=en

Blake

--
You received this message because you are subscribed to the Google Groups "Blockly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blockly+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Austin Bart]

You might be interested in my research project, by the way: www.blockpy.com

[Pāvils Jurjāns]

Hi, it's an interesting project!

But it is hard to follow the code, do you really execute the code on the server side? I see that you submit the Python code to server at every single change, but I can't find the place in your Python server code where it is executed.

The "about" page proudly claims "client-side Python execution", apparently using Skulpt.

In my case, I need the code to be executed on the server side, but I'd like to be sure the code does not contain any fancy ways how to crash the server. If I could pass to the server just the blocks, and generate the code on the server side, that would be the way. Ok, one could still write malicious code also with blocks, such as endless loops etc, but those could be time-terminated, if run on a separate thread.

[Austin Bart]

Hello,

You're right that the code is not executed on the server - the server is only used for persistence. Skulpt is a Python->JavaScript transpiler that works as an execution environment on the client. I thought you'd be more interested in comparing your approach to mine, rather than submitting it as a solution to your problem.

The major limitation here is that code execution is not secure against manipulation in terms of verifying local assessment (which has important pedagogical implications for us; we advocate using it as a practice environment, not a summative assessment environment). However, this means that we have a perfectly safe environment in terms of what the user can do to us. It's sandboxed by nature of being in the browser. We do time terminate the code in the client to prevent accidental endless loops, but that's for their benefit rather than our's. If we ever wanted to do secure assessment, our solution would be to simply also send the generated python code to the server to run in a sandbox and verify they got the correct solution; there's already a large space of environments that do this already with many languages, so it's less interesting to us as researchers.

If you use case is to definitely only run on the server, and your goal is to prevent the user from submitting malicious code, then you might want to consider your approach carefully. Remember that the user can submit more than what your interface supports; they are free to use GET/POST requests from within the browser to submit whatever text strings they want. You should never trust user input. You'll probably want to just get a sandboxed Python execution environment, which is a fairly distinct problem from what is done around here. Essentially, code on the server should not be able to do certain things. I suppose you could also only generate Python code on the server according to safe rules, but I would be concerned about edge cases (you'd have a sort of 'Python Injection' problem, like a SQL Injection).

Good luck,
~Cory

[Pāvils Jurjāns]

Thank you for sharing your considerations!

In a way, I am indeed stuck in the need of executing the code on the server, because it has to operate with hardware resources that are available only at the server side, routinely - when the user has logged off their web client. Perhaps running the code in a server-side sandbox with few "outside" functions to call from within, is the way to go. I've never researched how safe that really is, though.

Best,

Pavils

[Nat Budin]

It's not Python, but at PatientsLikeMe we have a similar set of requirements and concerns and have been working on a Blockly interpreter in Ruby.  We use the XML Blockly generates and run it on the server.  This allows us to control what code we allow executing from user-defined programs.

We're hoping to release our interpreter in the near future.  I think it could be translated to Python without too much trouble, since there's nothing all that Ruby-specific about it.