odoo/enterprise#48919
Created by Jordan Dalcq (joda)
- label
- odoo-dev:master-safe_eval_redo-joda
- head
- 268af09f1ca0c8d8e021d07be2b0270713982313
| odoo/odoo | odoo/enterprise | odoo/upgrade | odoo/upgrade-util | |
|---|---|---|---|---|
| master | #138611 | #48919 | #5653 | #75 |
[REF] base: safe_eval rewrite using AST
Context
safe_eval is Odoo's sandbox, this mechanism allows users and
eveloppers to write templates, server actions, and more without
worrying about the security risks associated with arbitrary code execution.
The current version of the sandbox heavily relies on Python's bytecodes
and compile-time verifications. This causes 2 major problems:
1) In every release of Python, its bytecodes are updated or modified.
Which makes Odoo unusable until the security / framework team updates the
whitelist of bytecode.
2) Most sandboxing issues we have faced for the last years was due to a
lack of runtime checks (functions inputs (arguments) and outputs
(return values)). All most every times those kind of issues were
fixed with "dirty" hacks such as adding a list of
"unsafe attribute" or adding a wrapper for modules that are exposing
unsafe objects (such as the sys module)
Goal of the change
During this rewrite we had a few goals:
1) Retain compatibility with the original version:
* Find a way to keep the old checks (deny dunders, attribute storing
and deleting)
* Keep the same exposed API, limiting the amount of code that needs
to be rewritten as much as possible
2) Add runtime checks to verify that every types passed and returns are
safe by checking their type. The way that the sandbox does it is by
using two set of types. One for the types we allow to instanciate
(the ones that we have absolute trust, most of them are primitive
types such as str and int) and the ones that we only allow as
instance, this means that you CANNOT instanciate them inside of the
sandbox (for example the sql cursor or the Odoo environement).
3) Eliminate the issues with the .format and .format_map.
This is a well known issue within the Python security community, if
you want more info : https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/
Linked with odoo/odoo#138611