Comments (11)
ChrisRackauckas
commented on July 22, 2024
I see. Pre-parsing should be done before ParameterizedFunctions.jl then, since one place where ParameterizedFunctions is expanding is actually to make it easier to use user-defined functions (which of course runs counter to this)
from diffeqonlineserver.
ChrisRackauckas
commented on July 22, 2024
It seems like you have setup input sanitation. Are you looking to do more or is this complete?
from diffeqonlineserver.
amellnik
commented on July 22, 2024
Right now the user can execute arbitrary code on the server, we're only preventing them from defining new functions (not sure that even helps at all). I think we need to look at the parsed diff eq and vars and throw an error if any function not on a whitelist is called.
from diffeqonlineserver.
ChrisRackauckas
commented on July 22, 2024
Maybe this is a good list to whitelist from?
https://github.com/johnmyleswhite/Calculus.jl/blob/master/src/differentiate.jl#L116-L186
from diffeqonlineserver.
ChrisRackauckas
commented on July 22, 2024
Some people on the Gitter took it for a spin... to say the least. One thing that they found is that we need to also get rid of any control flow blocks:
2017-01-16T06:23:06.655428+00:00 app[web.1]: Diff equ: begin # none, line 2:
2017-01-16T06:23:06.655457+00:00 app[web.1]: dx = a * x - b * x * y # none, line 3:
2017-01-16T06:23:06.728152+00:00 app[web.1]: dy = -c * y + d * x * y + while true # none, line 3:
2017-01-16T06:23:06.728212+00:00 app[web.1]: end
2017-01-16T06:23:06.728266+00:00 app[web.1]: end
from diffeqonlineserver.
amellnik
commented on July 22, 2024
Good find, I should have some more time for this again tomorrow
…On Sun, Jan 15, 2017 at 10:33 PM, Christopher Rackauckas < ***@***.***> wrote:
Some people on the Gitter took it for a spin... to say the least. One
thing that they found is that we need to also get rid of any control flow
blocks:
2017-01-16T06:23:06.655428+00:00 app[web.1]: Diff equ: begin # none, line 2:
2017-01-16T06:23:06.655457+00:00 app[web.1]: dx = a * x - b * x * y # none, line 3:
2017-01-16T06:23:06.728152+00:00 app[web.1]: dy = -c * y + d * x * y + while true # none, line 3:
2017-01-16T06:23:06.728212+00:00 app[web.1]: end
2017-01-16T06:23:06.728266+00:00 app[web.1]: end
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGzU_rjkbZaLt05Mm94QurdrCjlPVBeIks5rSw9EgaJpZM4LjfvM>
.
from diffeqonlineserver.
ChrisRackauckas
commented on July 22, 2024
Right now the user can execute arbitrary code on the server, we're only preventing them from defining new functions (not sure that even helps at all).
that is not taking into account one line func deffinitions, I guess you are looking for the functionkeyword
from diffeqonlineserver.
Ismael-VC
commented on July 22, 2024
that is not taking into account one line func definitions
Please see: #7.
from diffeqonlineserver.
ChrisRackauckas
commented on July 22, 2024
Looks good. We should now probably expand the parsing to every Julia keyword for any kind of block. Is there a list somewhere?
from diffeqonlineserver.
ChrisRackauckas
commented on July 22, 2024
I think we're good on this. At least, everything I tried doesn't work anymore. Of course, there may be something I missed which we can deal with as its own case.
from diffeqonlineserver.
amellnik
commented on July 22, 2024
I think it looks good for the main expression. I'm going to move things around a bit to make sure that vars and similar also get the same sanitation.
from diffeqonlineserver.
Related Issues (8)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from diffeqonlineserver.