Giters

michalmuskala / safeish

NOT FOR PRODUCTION USE: Safe-ish is an experimental sandbox for BEAM modules that examines and rejects BEAM bytecode containing instructions that could cause side effects. You can provide an optional whitelist of opcodes and functions the module is allowed to use.

Home Page:https://hexdocs.pm/safeish/Safeish.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Safe-ish

NOT FOR PRODUCTION USE

Safe-ish is an experimental, minimally restrictive sandbox for BEAM modules that examines and rejects BEAM bytecode at load time containing instructions that could cause side effects such as:

  • Spawning processes
  • Sending and receiving messages
  • File system access
  • Network access
  • Compilation
  • System level introspection and diagnostics
  • various apply functions and creating atoms dynamically at runtime (which would allow calls to non-whitelisted modules)

You can provide an optional whitelist of modules, functions and language features that the loaded module is allowed to use. Whitelists are applied to calls and also function literals, because the latter can be used to construct calls in beam assembly without using apply().

Use

You can call:

  • Safeish.check(bytecode) to check binary bytecode bytecode without loading the module
  • Safeish.load_bytecode(bytecode) to check bytecode and then load the module if it is ok
  • Safeish.load_file(path) to read the bytecode from the beam file at path, check and load it if it is ok

All the above functions take a second optional whitelist argument of calls and language features to allow. The following list entries are allowed:

  • Module to allow calls to any function in Elixir module Module
  • {Module, function} to allow calls to an Elixir function with any arity
  • {Module, function, arity} to allow calls to an Elixir function with a specific arity
  • :module to allow calls to any function in Erlang module :module
  • {:module, function} to allow calls to an Erlang function with any arity
  • {:module, function, arity} to allow calls to an Erlang function with a specific arity
  • :send to allow sending of messages
  • :receive to allow receipt of messages

The return value for all functions is either {:ok, Module} or {:error, ["reason 1", "reason 2", ...]}

Example

> Safeish.load_file("CallFileRead.beam")
{:error, CallFileRead, ["Elixir.File.read/1 not whitelisted"]}
> Safeish.load_file("CallFileRead.beam", [{File, read, 1}])
{:ok, CallFileRead}
> CallFileRead.somefunc()

Installation

The package can be installed by adding safeish to your list of dependencies in mix.exs:

def deps do
  [
    {:safeish, "~> 0.5.0"}
  ]
end

Documentation can be generated with ExDoc Docs can be found at https://hexdocs.pm/safeish.

About

NOT FOR PRODUCTION USE: Safe-ish is an experimental sandbox for BEAM modules that examines and rejects BEAM bytecode containing instructions that could cause side effects. You can provide an optional whitelist of opcodes and functions the module is allowed to use.

https://hexdocs.pm/safeish/Safeish.html

License:MIT License

Languages

Language:Elixir 100.0%