Python CGI sandboxing advice (packaging of Online Python Tutor) - Was: Re: Best-practice / howto packaging of CGI-based Web app ?

To: Paul Wise <pabs@debian.org>, debian-webapps@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Python CGI sandboxing advice (packaging of Online Python Tutor) - Was: Re: Best-practice / howto packaging of CGI-based Web app ?
From: Olivier Berger <olivier.berger@it-sudparis.eu>
Date: Sun, 09 Feb 2014 16:05:36 +0100
Message-id: <[🔎] 8761oo498f.fsf@inf-8660.int-evry.fr>
In-reply-to: <[🔎] CAKTje6Fni3EyW1tO7rOzvGGH500g=NHJ=QfTeHRnNxOTu-vX2Q@mail.gmail.com>
References: <[🔎] 874n4dbs2u.fsf@inf-8660.int-evry.fr> <[🔎] CAKTje6GA1gyPq-qiD1jDjxWVUVzHdh4eGoK3GgBSnAyxWFaa8A@mail.gmail.com> <[🔎] CAKTje6Fni3EyW1tO7rOzvGGH500g=NHJ=QfTeHRnNxOTu-vX2Q@mail.gmail.com>

Hi.

Paul Wise <pabs@debian.org> writes:

> On Thu, Feb 6, 2014 at 8:43 AM, Paul Wise wrote:
>
>> Which CGI are we talking about? Perhaps we can give more specific advice.
>
> I guess you mean Online Python Tutor (#737732).
>

Damn BTS ;) Indeed, I was considering OPT.

> Looking at the git repo, it includes a lot of embedded code copies of
> various JavaScript libraries and other code. As per policy 4.13 those
> should be packaged separately.
>
> https://wiki.debian.org/EmbeddedCodeCopies
>

Sure.

> I see some places where it uses os.system(). That should switch to
> using the subprocess module with shell disabled.
>
> The idea of this software is a bit concerning to me, it sounds like it
> runs arbitrary Python code on the server and passes the results back
> to the web. 

Exactly.

> I would suggest auditing it to ensure that it isn't one
> giant security hole. Please get CVEs for any issues that you find.
>
> http://oss-security.openwall.org/wiki/disclosure/cve
>

Yes, it is indeed something that might be problematic.

AFAICS for now, it uses a withelist of python modules that are allowed
(see [0]).

That looks safe at first sight, but I fear there could be some kind of
exploits if the "safe" modules have flaws...

I'm not an expert in Python code security so I'd welcome any advices.

In this respect, I can see the benefit of running it over a PaaS
solution like Google App Engine (which is advertized by upstream
author's site) in this respect, given that those Python execution
environments may naturally be sandboxed, etc.

Maybe a CGI sandboxing solution could be advised, for running over a
"normal" Debian system ?

Thanks in advance.

Best regards,

[0] https://github.com/pgbovine/OnlinePythonTutor/blob/master/v3/pg_logger.py#L112
-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)

Reply to:

Follow-Ups:
- Re: Python CGI sandboxing advice (packaging of Online Python Tutor) - Was: Re: Best-practice / howto packaging of CGI-based Web app ?
  - From: Paul Wise <pabs@debian.org>

References:
- Best-practice / howto packaging of CGI-based Web app ?
  - From: Olivier Berger <olivier.berger@telecom-sudparis.eu>
- Re: Best-practice / howto packaging of CGI-based Web app ?
  - From: Paul Wise <pabs@debian.org>
- Re: Best-practice / howto packaging of CGI-based Web app ?
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: init.d script not using !/bin/sh
Next by Date: Re: Two line init.d scripts? Sure, that will work!
Previous by thread: Re: Best-practice / howto packaging of CGI-based Web app ?
Next by thread: Re: Python CGI sandboxing advice (packaging of Online Python Tutor) - Was: Re: Best-practice / howto packaging of CGI-based Web app ?
Index(es):
- Date
- Thread