Parsing for safe eval about php-parser HOT 4 CLOSED

Sorry for the late reply, I have no excuse for not answering earlier.

PHP sandboxing was one of my first motivations behind this project, but it is a rather complicated problem if you want to do it by static code analysis / preprocessing. If you are going to evaluate user-submitted code then the only really safe way is to evaluate it in a separate jail (or whever the operating system provides).

Sandboxing through preprocessing is really hard in PHP, because of its dynamic nature. You can easily check that exec(...) is disallowed, but it already is harder to make sure $func() is safe. But that's just the beginning. There are many, many subtle ways in PHP to run something, which are often little-known or easy to overlook. E.g. you could easily miss some particular function taking a callback or some indirect way of executing a call, like with (new ReflectionFunction('exec'))->invoke(...).

So I'm not really sure whether this kind of security checking makes any practical sense as there are just too many points of failure. I find this mostly intriguing from the theoretical point of view. So after I saw this issue I took some old tokenizer-based sandbox code and ported it to use the PHP-Parser. While doing that I found a lot of issues, which I'm trying to resolve. If I manage to figure everything out I'll publish the library. Though as I said, I don't think that it makes sense to use this in practice.

So, to answer the question: Yes, it's possible. But whether it makes sense depends on the specific case. (The narrower the case the easier it should be to properly handle it.)

Again, sorry for the late reply.

from php-parser.

Hey nikic, I wrote a sandbox and have it live here http://phpbounce.aws.af.cm

I got through linting, parsing, whitelisting, blacklisting and separate process sandbox. I've switched off whitelisting, but I'm not sure how secure it is. Can you check it out?

BTW, this is a very impressive project for someone who is 17!

from php-parser.

From a quick look at the code you seem to be using PHP's internal disable_functions and disable_classes features. There should be no way around those short of exploiting PHP itself. Though I obviously don't know how complete the blacklists you are using are.

from php-parser.

Indeed, in fact in my whitelist, I went through 4400 functions manually. Anyway thanks for the code it works well.

from php-parser.