Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Implement RestrictedPython for safer custom code execution #235

Open
coderabbitai bot opened this issue Jan 21, 2025 · 0 comments · May be fixed by #251
Open

Security: Implement RestrictedPython for safer custom code execution #235

coderabbitai bot opened this issue Jan 21, 2025 · 0 comments · May be fixed by #251
Assignees
@aaronsteers

Comments

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 21, 2025

Background

Currently, the custom code compiler uses raw exec() to execute user-provided Python code, which could potentially be unsafe as it has unrestricted access to Python builtins and the global namespace.

Proposed Solution

Implement RestrictedPython to provide a safer execution environment for custom code. This will:

  1. Restrict access to potentially dangerous builtins
  2. Run code in an isolated namespace
  3. Prevent access to sensitive operations

References

Implementation Notes

  • Add RestrictedPython as a dependency
  • Replace current exec() implementation with RestrictedPython's secure execution
  • Add tests to verify security restrictions are working as expected

Security Considerations

This enhancement will improve the security posture of the custom code execution feature by preventing potentially malicious code from accessing sensitive operations or resources.
devin-ai-integration bot added a commit that referenced this issue Jan 22, 2025
@devin-ai-integration @aaronsteers
feat: implement RestrictedPython for secure code execution
06d7052 
Closes #235

- Added RestrictedPython for secure code execution
- Implemented custom AST transformer with type annotation support
- Added tests for secure code execution and attribute access
- Added checksum validation for code integrity
- Configured safe builtins and attribute access guards

Link to Devin run: https://app.devin.ai/sessions/52a534be7286449eb767cf386ac6d001

Co-Authored-By: Aaron <AJ> Steers <aj@airbyte.io>
@devin-ai-integration devin-ai-integration bot linked a pull request Jan 22, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aaronsteers aaronsteers

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: implement RestrictedPython for secure code execution airbytehq/airbyte-python-cdk
1 participant
@aaronsteers