[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [pygame] Python bots in Galcon (or your game!) safe_eval
Excellent work Phil, a subject close to my own heart/brain.
Jon
Quoting Phil Hassey <philhassey@xxxxxxxxx>:
> Hey,
>
> I spent some time today working on building a safe_eval function that would
> make it "safe" to run user submitted bots in games (Galcon, being that game
> ;)
>
> http://www.imitationpickles.org/tmp/safe.py
>
> The file includes links to a number of references on the topic, and why
> likely this won't work. Anyway - I know a lot of you wanted to make bots for
> Galcon, so that's why I'm trying to put this together. So if anyone can find
> security holes in my implementation, it would be a huge help - the more I
> find and get patched the more likely I am to actually release Galcon with
> ability for bot-plugins.
>
> The known limitations at the top are things that I don't really want to fix -
> they are just limitations. :) I'm mainly interested in limiting what a bot
> can access (say other parts of the game code) and keeping them from using
> builtins like files, etc.
>
> The two things I do in this script are:
> - Step through the AST tree and reject scripts that use any non-whitelisted
> node types. A lot of python features are dropped, but enough are kept for
> building decent bots (the main bot from Galcon is "ok" as far as safe.py is
> concerned.) I pretty much reject anything that falls into the magic category
> - generators, imports, execs, exceptions, etc...
> - Replace non-whitelisted builtins with a function that raises an exception
> "you used a bad builtin!", runs "exec code in context" and then restores all
> the builtins.
>
> Anyway, feel free to poke around the code. I think a working safe_eval would
> be a huge asset for games developed in python that want to have user
> submitted mods / bots.
>
> Thanks!
> Phil
>
>
> ---------------------------------
> It's here! Your new message!
> Get new email alerts with the free Yahoo! Toolbar.
--------------------------------------------------------------------
Come and visit Web Prophets Website at http://www.webprophets.net.au