How to require untrusted module?

[kalime...@gmail.com]

I've read about protect-out and  current-code-inspector, but I still cannot understand, how to require a module and forbid it to run protected modules.

Something like (require untrusted-foo) (foo-proc) but to forbid foo-proc to use ffi/unsafe.

[David Storrs]

I'd be interested to know this as well.  It sounds like something that isn't possible in Racket, since it's essentially specifying how a module can do its job and that requires a level of introspection that I think is excluded by design.

On Thu, Oct 21, 2021 at 10:37 AM kalime...@gmail.com <kalime...@gmail.com> wrote:

I've read about protect-out and  current-code-inspector, but I still cannot understand, how to require a module and forbid it to run protected modules.

Something like (require untrusted-foo) (foo-proc) but to forbid foo-proc to use ffi/unsafe.

--
You received this message because you are subscribed to the Google Groups "Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/5f10a124-6aeb-4389-8421-92034e93f8a7n%40googlegroups.com.

[Matthew Flatt]

If you use

(current-code-inspector (make-inspector))
(require untrusted-foo)

and assuming that `untrusted-foo` hasn't been loaded earlier, then
`untrusted-foo` will not be able to use protected binding.

That sequence will also disable the use of protected bindings by
anything that `untrusted-foo` depends on and that hasn't already been
loaded. So, if you want those dependencies to be able to use untrusted
things, you need to load the before `(current-code-inspector
(make-inspector))`.

[Robby Findler]

On Fri, Oct 22, 2021 at 12:43 PM Matthew Flatt <mfl...@cs.utah.edu> wrote:

At Thu, 21 Oct 2021 07:37:12 -0700 (PDT), "kalime...@gmail.com" wrote:
> I've read about protect-out and  current-code-inspector, but I still cannot
> understand, how to require a module and forbid it to run protected modules.
>
> Something like (require untrusted-foo) (foo-proc) but to forbid foo-proc to
> use ffi/unsafe.

If you use

 (current-code-inspector (make-inspector))
 (require untrusted-foo)

Just in case: I think Matthew as thinking of two subsequent REPL interactions (or calls to eval or suchlike). If you put those two together into a file in #lang racket, say, you won't be protected against untrusted-foo.

Robby

 

and assuming that `untrusted-foo` hasn't been loaded earlier, then
`untrusted-foo` will not be able to use protected binding.

That sequence will also disable the use of protected bindings by
anything that `untrusted-foo` depends on and that hasn't already been
loaded. So, if you want those dependencies to be able to use untrusted
things, you need to load the before `(current-code-inspector
(make-inspector))`.

--
You received this message because you are subscribed to the Google Groups "Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to racket-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/20211022114302.3e4%40sirmail.smtps.cs.utah.edu.

[kalime...@gmail.com]

Thank you!

Is it possible to safely load untrusted module with dynamic-require?

пятница, 22 октября 2021 г. в 22:59:57 UTC+5, Robby Findler:

[Matthew Flatt]

Yes, ou can use `dynamic-require` with a limited code inspector like
this:

(parameterize ([current-code-inspector (make-inspector)])
(dynamic-require 'untrusted-foo 'foo-provided-name))

> https://groups.google.com/d/msgid/racket-users/004de0e0-b25f-4bae-be79-9bdd561a1
> e18n%40googlegroups.com.