Project

General

Profile

Development #5279

Expression attribute source

Added by Benjamin Dauvergne about 5 years ago. Updated over 3 years ago.

Status:
Nouveau
Priority:
Bas
Assignee:
-
Category:
-
Target version:
Start date:
14 Aug 2014
Due date:
% Done:

0%

Patch proposed:
No
Planning:
No

Description

I consider the proposed code as experimental and ,reading history on safe python code evaluation, very likely unsecure, so it's just for discussing.

It depends upon an untested safe-expression evaluator library1 which is the part likely unsecure. This library parse expression as python abstract syntax tree and only keep type of nodes deemed secure.

A secure implementation would maybe use a JS interpreter augmented with a sandbox2 module and should be able to flag "broken" code so that is not run anymore after detection (if the broken property can only be detected at runtime, like exceding the timeout).

1 https://github.com/bdauvergne/python-safe-expression

2 https://github.com/gf3/sandbox

0001-add-attribute-source-models-AttributeSource-is-a-bas.patch View (39.1 KB) Benjamin Dauvergne, 14 Aug 2014 12:14 PM

0002-attributes_ng-sources-add-new-expression-source.patch View (5.47 KB) Benjamin Dauvergne, 14 Aug 2014 12:14 PM

0003-add-a-model-representation-for-expression-attribute-.patch View (14.8 KB) Benjamin Dauvergne, 14 Aug 2014 12:14 PM

History

#1 Updated by Frédéric Péters about 5 years ago

What would the usecase be? I ask this because it looks to me like it duplicates the existing attributes_ng/sources/function.py module.

#2 Updated by Benjamin Dauvergne about 5 years ago

It would be easier to configure through the UI, function.py can do more (I mean "have side effects") but you need to create a python module or put the definition in config.py to configure it. Expression attribute would use a safe and common language so that users of a SaaS service can code their own "smart" attributes. Java applications often use the Javascript interpreter provided by the JDK for that.

#3 Updated by Benjamin Dauvergne almost 5 years ago

  • Assignee set to Benjamin Dauvergne

#4 Updated by Benjamin Dauvergne almost 5 years ago

  • Priority changed from Normal to Bas

#5 Updated by Benjamin Dauvergne over 4 years ago

  • Target version set to future

#6 Updated by Benjamin Dauvergne over 4 years ago

  • Patch proposed changed from Yes to No

#7 Updated by Benjamin Dauvergne over 3 years ago

  • Assignee deleted (Benjamin Dauvergne)

Also available in: Atom PDF