File verification support in CLI
Closed this issue · 11 comments
Adding the preplanned verification feature to the CLI so that users dont submit broken files
As we are running user given code in our server, not validating the code that the user submits to server becomes a serious security issue:
Things to be considered during validation:
- The code submitted should return
ARgorithmToolkit.StateSet - The code should execute normally outside server as well
- The code should not refer or call any of the objects used in Server
- The code should not import any external library other than
ARgorithmToolkit
More info: https://portswigger.net/kb/issues/00100f10_python-code-injection
So we just have to block any import or call to anything other than Toolkit STL
So we just have to block any import or call to anything other than Toolkit STL
Utkarsh is working on the file content verification to check whether StateSet is being returned so we just have to check what all is being imported and what all variables are being accessed as well
Python has inbuilt methods to do that so we can use that feature let me know if any help is required
Python has inbuilt methods to do that so we can use that feature let me know if any help is required
@UtkG07 wanted to do this as this is a good issue to understand the project as well
If he needs help, I'll ask him to come to you
@yatharthmathur should we make parameters and example into a list instead of an object?
In the json file?
Yeah
Unity in-built JSON parser (which is preferred coz of speed) does not have a proper way to jsonify dynamic objects such as those that we use in parameters and example. In python we can convert dicts to json giving us a lot more functionality
object = {
"key" : "value"
}
k = json.dumps(object)but in C# , JsonUtility has no support for dict, the only collection supported is Array and List. Thus creating Dynamic Objects becomes complicated
[Serializable]
public class Object{
public int key = value;
}
object = new Object{ key = 2}
string jsonified = JsonUtility.ToJson(object)So I know this can be solved in unity-app side as well by creating some template classes or using third party unity JSON parser but wanted to have a look whether its feasible to convert parameters and example to list. Does that help us or just makes it complicated for advanced use cases
Whatever data we can simplify into lists can be just converted to list. The rest we'll have to parse anyways and store into in-app C# runtime data structures
Update in config.json design
To make it easier to parse config.json to generate input boxes, we will be making some changes in the parameters.
each key in parameters will have an object with the two compulsory fields description and type.
description: stores the description of the variabletype: stores the type of data input. There will be 4 types of data inputs available :INTFLOATSTRINGARRAYMATRIX
MATRIX and ARRAY can have a further item-type which defines the type of elements in it.
INT
type : INT means that an integer input will be requested for this variable. Variables with type INT can have two more keys start and end describing the range between which the int value should exist. They are not compulsory.
FLOAT
type : FLOAT means that an floating point number input will be requested for this variable. Variables with type FLOAT can have two more keys start and end describing the range between which the float value should exist. They are not compulsory.
STRING
type : string means that an string input will be requested for this variable. You can define an additional parameter size which can either be a string refering another parameter of type INT or an integer which will be considered as the size.
ARRAY
type: array requests an input of 1 dimensional series of items.You will have to define a item-type to define it's type which can be INT , FLOAT , STRING. You can define an additional parameter size which can either be a string refering another parameter of type INT or an integer which will be considered as the size.
MATRIX
type: matrix requests an input of 2 dimensional series of items: You will have to define a item-type to define it's type which can be INT , FLOAT , STRING. You can define additional parameters row and col which work similarly to size in array.
Sample config.json
{
"argorithmID": "template",
"file": "template.py",
"function": "run",
"parameters": {
"n" : {
"description" : "",
"type" : "INT"
},
"st" : {
"description" : "",
"type" : "STRING",
"size" : "n"
},
"d" : {
"description" : "",
"type" : "FLOAT",
"start" : 0
},
"array" : {
"description" : "",
"type" : "ARRAY",
"size" : "n",
"item-type" : "INT"
},
"matrix" : {
"description" : "",
"type" : "MATRIX",
"row" : 2,
"col" : "n",
"item-type" : "INT"
}
},
"default": {
"n" : 4,
"arr" : [4,3,1,5],
"st" : "helo",
"d" : 9.12,
"matrix" : [
[1,2,4,3],
[3,4,1,1]
]
},
"description": "template"
}Changes in CLI
- The
configuremethod should be renamed toconnect - Making the programmer create the config.json will add more to the programmer
- add a new
configurecommand to CLI which provides a user-friendly interface that the programmer can use to quickly make his config.json.
Security Checklist
- The only imports accepted must be from
ARgorithmToolkit
import ARgorithmToolkit
from ARgorithmToolkit import *- The objects that can be globally accessed in the server argorithm code should not be referenced
A new submodule security.py will contain all functions necessary for examining programmer code for possible harmful code injection so that it can be again utilised at server side