joelmccracken / elisp-sandbox Goto Github PK

Hey guys,

This project is super young at the moment. Feel free to throw whatever you want in the issue tracker!

Do you have any thoughts on DoS attack vectors? I'm especially concerned about specifics to the implementation of Emacs which makes some things problematic.

One thing that comes to mind, for example, is how Ruby doesn't garbage collect symbols. Thus, if untrusted code can create symbols, we have a DoS attack.

This seems really similar to Emacs' obarray. If we ever provided anything like setq for the users, we need to be careful not to actually add content obarray, or if we do, to make sure it gets cleaned up afterwards.

Any thoughts?

Im thinking elisp-sandbox. Thoughts?

I'm not sure if the submodules are still relevant but el-spec seems to be missing. test-double also seems to be missing.

can we remove this dependency?

I see you are writing your documentation as a string inside an emacs-lisp program and then generate a README file. If you don't find it convenient, you might want to try the approach used by the buttercup project. This project has some documentation (written in Markdown) containing tests that are both visible as documentation and executable as test suite.

The point of this is to allow evaling lisp safely.

We currently do not have an eval. Erbot's is just:

(defun fsi-eval (expr)
  (eval
   (erblisp-sandbox expr)))

which makes total sense. We should be able to do the same. However, erbot has a whole bunch of predefined macros and functions that implement the rest of the jail. Most of the things you raised concerns about on the README could be handled here. For example, here's the while:

(defmacro fs-while (cond &rest body)
  `(let
       ((erbn-while-ctr 0))
     (while
     ,cond
       ;; this should enable the with-timeout checks..
       (sleep-for 0.01)
       (if (> erbn-while-ctr erbn-while-max)
       (error "Max while iterations exceeded: %S"
          erbn-while-ctr))
       (incf erbn-while-ctr)
       nil
       ,@body)))

Note how it adds the sleep-for?

Now personally, what I'd like to do is ensure that file and network stuff is handled but run the actual lisp in a child emacs with a timeout, so we don't have to worry about this stuff (whether a while loop is malicious or impractical).

The other thing I'd like is for this stuff to be per-jail. So I should be able to create one jail with one set of bindings and another jail with another. That could just be flet's I suppose.

But anyway, we somehow need to make a start on this. My actor system is coming along so that would be the way to jail the process... but jailing the lisp needs all those functions from erbot that deal with implementing the lisp jail pulled in to your sandbox code.

I'll try and send you patches but if you're going to work on it too that would be exciting!