Extending PHP with sandbox capability ?

21 years ago by prasek@silesia.cz — view source

unread

Sandbox ?

I have been forced to create PHP application that need inside execution of code snipplets from untrusted users and do it as secure as possible. I see it is not possible for some security raesons. (db connection,resources etc.). So I suggest to add a simple sandbox capability to PHP language, that help avoid security risk in situations where executing of 3rd party code inside of some application is needed.

I suggest, that code, what will be run inside a sandbox will have no way to acces resources (open files, db connection etc) from outside of the sandbox,will have a limited (ie strictly defined) acces to current global and local scope variablers and may be other security checks too.

I suggest to have following things:

Create_sandbox($path,$global_read,$global_write,$scope_read,$scope_write,$resource_available)

function that define sandbox and set its parameters.Parameters of the sandbox describes what from outside sandbox will be available inside.

$path = from where in filesystem code inside a sandbox can read/write/include other files
$global_read = list of global variables, that are readable inside a sandbox
$global_write = list of global variables, that are writable inside a sandbox
$scope_read = like $global_read,but for current scope
$scope_write = ......
$resource_available = list of openned resources, that are available inside a sandbox.

return $sandbox_id or false if fail.

sandbox_eval($sandbox_id,$code)

like eval, but inside a sandbox.

sandbox_include($sandbox_id,$path)

like include, but inside sandbox.

sandbox_close($sandbox_id)

close and destroy sandbox.

It hing it should work like this

<?
.
.
// do something
.
.
// define sandbox here
$sandbox_id= Create_sandbox($path,$global_read,$global_write,$scope_read,$scope_write,$resource_available)
.
.
.
// do something
.
.
//here I need to use previously defined sandbox
sandbox_eval($sandbox_id,$code)
.
.
// do something
.
.
.
//here I need to execute other code inside of the same sandbox
sandbox_include($sandbox_id,$path)
.
.
.
//do something
.
.
//end of script, so sandbox is closed
sandbox_close($sandbox_id)
?>

I thing that suggested things adds a simple to use, but yet secure and flexibile capabilities for executing "not so trusted" third party code inside any PHP aplication .It may add several bennefits for gerneral PHP security too.What do you think ?

PS: Execuse my bad language, English is not my native.

21 years ago by Lukas Smith — view source

unread

From: ing.Martin Prášek [mailto:prasek@silesia.cz]
Sent: Saturday, December 20, 2003 1:12 PM

Sandbox ?

I have been forced to create PHP application that need inside execution
of code snipplets from untrusted users and do it as secure as possible.
I see it is not possible for some security raesons. (db
connection,resources etc.). So I suggest to add a simple sandbox
capability to PHP language, that help avoid security risk in situations
where executing of 3rd party code inside of some application is needed.

<snip>

While syntactically not ideal here is a very flexible example to build off:
http://www.rubycentral.com/book/taint.html

BTW: if PHP wants to be the ultimate template engine it needs such a
feature. Due to PHP's flexibility its really hard to check the source for
potentially dangerous code so if you allow users to edit/add templates to
your system you have to trust them all the way if you are going to
include/require those template instead of simply pushing data into them and
then echo'ing them.

Regards,
Lukas

21 years ago by Christian Schneider — view source

unread

Lukas Smith wrote:

Sandbox ?

This would have to be done very carefully to not leave a backdoor
open. PHP offers oh so many ways of accessing the system.

I guess one'd have to start with safe_mode with quite some functions
disabled and go from there. But...

BTW: if PHP wants to be the ultimate template engine it needs such a

Maybe it's easier (and safer too) to not eval PHP code from external
sources. You'd also have to make sure the output of their code is valid
(X)HTML or they could render your whole site invalid (think closing
table they didn't open, inserting javascript code and the like). And
that's already hard enough as it is. Allowing them to submit SQL queries
for example opens up a whole new can of worms.

I guess a sandbox model is something to be thought about for PHP6 ;-)

Chris

21 years ago by prasek@silesia.cz — view source

unread

----- Puvodní zpráva -----
Od: "Christian Schneider" cschneid@cschneid.com
Komu: "Lukas Smith" smith@backendmedia.com
Kopie: "'ing.Martin Prá¹ek'" prasek@silesia.cz; internals@lists.php.net
Odesláno: 20. prosince 2003 19:28
Predmet: Re: [PHP-DEV] Extending PHP with sandbox capability ?

Lukas Smith wrote:

Sandbox ?

This would have to be done very carefully to not leave a backdoor
open. PHP offers oh so many ways of accessing the system.

I guess one'd have to start with safe_mode with quite some functions
disabled and go from there. But...

Safe mode is useful, but it is not what I need. Fix me if i am wrong, but I thing safe mofe can not be started in the middle of the script and then disabled again, so for creating a sandbox is complettly useles.

BTW: if PHP wants to be the ultimate template engine it needs such a

Maybe it's easier (and safer too) to not eval PHP code from external
sources.

Know that, but when you need it ?

You'd also have to make sure the output of their code is valid
(X)HTML or they could render your whole site invalid (think closing
table they didn't open, inserting javascript code and the like).

PHP5 have integrated tidy so let this (X)HTML check to be done by application designer, not by the sandbox itself.

that's already hard enough as it is. Allowing them to submit SQL queries
for example opens up a whole new can of worms.

Definietly, not. Because inside you have no acces to resources from inside of the sandbox, you can not use established db connections, opened files, shm and so on. Code inside the sandbox need to connect to sql database before any SQL can be used.If code inside sandbox will connect to database as another user (or better, to another database), there is very simple way, just using proper SQL GRANT/REVOKE by application designer and it keep vital data complettly out of reach for sandboxed code. I see no problems here.

I guess a sandbox model is something to be thought about for PHP6 ;-)

Chris

21 years ago by Wez Furlong — view source

unread

A real sandbox mechanism is not likely to be implemented, at least,
not for a very long time.

Having needed something like this myself for a commercial project
in the past, I settled on a "user-space sandbox" using the tokenizer
extension to parse the code and filter out unsafe functions, rewrite
"new" statements to prevent instantiation of certain classes, rewrite
access to global variables and so on.

Unfortunately, I don't own the code, so I cannot make it available.
However, the thing to remember is that you can never make it 100%
secure if you are executing anything that came from outside of your
program.

--Wez.

21 years ago by prasek@silesia.cz — view source

unread

----- Puvodní zpráva -----
Od: "Wez Furlong" wez@thebrainroom.com
Komu: "Christian Schneider" cschneid@cschneid.com; "ing.Martin Prásek" prasek@silesia.cz
Kopie: "Lukas Smith" smith@backendmedia.com; internals@lists.php.net
Odesláno: 21. prosince 2003 22:33
Predmet: Re: [PHP-DEV] Extending PHP with sandbox capability ?

A real sandbox mechanism is not likely to be implemented, at least,
not for a very long time.

Having needed something like this myself for a commercial project
in the past, I settled on a "user-space sandbox" using the tokenizer
extension to parse the code and filter out unsafe functions, rewrite
"new" statements to prevent instantiation of certain classes, rewrite
access to global variables and so on.

I know, there are probably some ways how to do that, but it required a lot of efford and are far far to be simple and effective.

You can, for example, do like this: Create on the fly appropriate wery restrictive php.ini file (safe mode, lot of things disabled etc), then call (via backtick for example) cli version of PHP , feed it with restrictive ini settings,serializabled variables and the untrusted code. And then grab its output. It will probably work and will be probably secure enough if well designed, but adds a lot of overhead....

I think PHP should have a simpliest ways for sandboxing code, without needs to build circus tent with bears, lions and even clowns for this.

May be in my originally proposed function, Create_Sandbox() adding a list of new ini settings for sandboxed code and/or list od enabled/disabled PHP modules and functions will do this job. So application designer can set .ini parameters and enabled PHP modules, that he will allow for use inside a sandbox. I thing this should be secure enough,especially with recomended approach "disable everything, enable ONLY things you need".

But I do not know how much work and time can take to add ability to temporairy disable certain moules or functions "on the fly" or temporairy change .ini settings and temporairy start a secure mode for integrating to zend engine.

PS: Execuse my bed english, it is not my native language.

Martin Prásek aka NTPT.