Welcome to RestrictedPython’s documentation!¶
The Idea behind RestrictedPython¶
Python is a Turing complete programming language. To offer a Python interface for users in web context is a potential security risk. Web frameworks and Content Management Systems (CMS) want to offer their users as much extensibility as possible through the web (TTW). This also means to have permissions to add functionality via a Python Script.
There should be additional preventive measures taken to ensure integrity of the application and the server itself, according to information security best practice and unrelated to Restricted Python.
RestrictedPython defines a safe subset of the Python programming language. This is a common approach for securing a programming language. The Ada Ravenscar profile is another example of such an approach.
Defining a secure subset of the language involves restricting the EBNF elements and explicitly allowing or disallowing language features. Much of the power of a programming language derives from its standard and contributed libraries, so any calling of these methods must also be checked and potentially restricted. RestrictedPython generally disallows calls to any library that is not explicit whitelisted.
As Python is a scripting language that is executed by an interpreter. Any Python code that should be executed have to be explicit checked before executing a generated byte code by the interpreter.
Python itself offers three methods that provide such a workflow:
compile()which compiles source code to byte code
exec()which executes the byte code in the interpreter
eval()which executes a byte code expression
Therefore RestrictedPython offers a replacement for the python builtin function
compile() (Python 2: https://docs.python.org/2/library/functions.html#compile / Python 3 https://docs.python.org/3/library/functions.html#compile).
This method is defined as following:
compile(source, filename, mode [, flags [, dont_inherit]])
The definition of the
compile() method has changed over time, but its relevant parameters
mode still remain.
There are three valid string values for
For RestrictedPython this
compile() method is replaced by:
compile_restricted(source, filename, mode [, flags [, dont_inherit]])
The primary parameter
source has to be a ASCII or
unicode string (With Python 2.6 an additional option for source was added:
ast.AST for Code generation).
Both methods either returns compiled byte code that the interpreter could execute or raise exceptions if the provided source code is invalid.
compile_restricted just compile the provided source code to byte code it is not sufficient to sandbox the environment, as all calls to libraries are still available.
The two methods / Statements:
have two parameters:
which are a reference to the Python builtins.
By modifying and restricting the available modules, methods and constants from globals and locals we could limit the possible calls.
Additionally RestrictedPython offers a way to define a policy which allows developers to protect access to attributes. This works by defining a restricted version of:
Also RestrictedPython provides three predefined, limited versions of Python’s own
limited_builtins(by Limits.py), which provides restricted sequence types
utilities_builtins(by Utilities.py), which provides access for standard modules math, random, string and for sets.
Additional there exist guard functions to make attributes of Python objects immutable –>
full_write_guard (write and delete protected)
- The Idea behind RestrictedPython
- Grundlagen von RestrictedPython und der Sicherheitskonzepte von Zope2
- Usage of RestrictedPython
- API of RestrictedPython 4.0
- RestrictedPython 3.6.x and before
- RestrictedPython 4+
- Concept for a upgrade to Python 3
- Upgrade dependencies
- Roadmap for RestrictedPython