File verification support in CLI
Closed this issue · 11 comments
Adding the preplanned verification feature to the CLI so that users dont submit broken files
As we are running user given code in our server, not validating the code that the user submits to server becomes a serious security issue:
Things to be considered during validation:
- The code submitted should return
ARgorithmToolkit.StateSet
- The code should execute normally outside server as well
- The code should not refer or call any of the objects used in Server
- The code should not import any external library other than
ARgorithmToolkit
More info: https://portswigger.net/kb/issues/00100f10_python-code-injection
So we just have to block any import or call to anything other than Toolkit STL
So we just have to block any import or call to anything other than Toolkit STL
Utkarsh is working on the file content verification to check whether StateSet is being returned so we just have to check what all is being imported and what all variables are being accessed as well
Python has inbuilt methods to do that so we can use that feature let me know if any help is required
Python has inbuilt methods to do that so we can use that feature let me know if any help is required
@UtkG07 wanted to do this as this is a good issue to understand the project as well
If he needs help, I'll ask him to come to you
@yatharthmathur should we make parameters
and example
into a list instead of an object?
In the json file?
Yeah
Unity in-built JSON parser (which is preferred coz of speed) does not have a proper way to jsonify dynamic objects such as those that we use in parameters and example. In python we can convert dicts to json giving us a lot more functionality
object = {
"key" : "value"
}
k = json.dumps(object)
but in C# , JsonUtility
has no support for dict, the only collection supported is Array and List. Thus creating Dynamic Objects becomes complicated
[Serializable]
public class Object{
public int key = value;
}
object = new Object{ key = 2}
string jsonified = JsonUtility.ToJson(object)
So I know this can be solved in unity-app side as well by creating some template classes or using third party unity JSON parser but wanted to have a look whether its feasible to convert parameters
and example
to list. Does that help us or just makes it complicated for advanced use cases
Whatever data we can simplify into lists can be just converted to list. The rest we'll have to parse anyways and store into in-app C# runtime data structures
Update in config.json design
To make it easier to parse config.json to generate input boxes, we will be making some changes in the parameters
.
each key in parameters will have an object with the two compulsory fields description
and type
.
description
: stores the description of the variabletype
: stores the type of data input. There will be 4 types of data inputs available :INT
FLOAT
STRING
ARRAY
MATRIX
MATRIX
and ARRAY
can have a further item-type
which defines the type of elements in it.
INT
type : INT
means that an integer input will be requested for this variable. Variables with type INT can have two more keys start
and end
describing the range between which the int value should exist. They are not compulsory.
FLOAT
type : FLOAT
means that an floating point number input will be requested for this variable. Variables with type FLOAT
can have two more keys start
and end
describing the range between which the float value should exist. They are not compulsory.
STRING
type : string
means that an string input will be requested for this variable. You can define an additional parameter size
which can either be a string refering another parameter of type INT
or an integer which will be considered as the size.
ARRAY
type: array
requests an input of 1 dimensional series of items.You will have to define a item-type
to define it's type which can be INT
, FLOAT
, STRING
. You can define an additional parameter size
which can either be a string refering another parameter of type INT
or an integer which will be considered as the size.
MATRIX
type: matrix
requests an input of 2 dimensional series of items: You will have to define a item-type
to define it's type which can be INT
, FLOAT
, STRING
. You can define additional parameters row
and col
which work similarly to size
in array.
Sample config.json
{
"argorithmID": "template",
"file": "template.py",
"function": "run",
"parameters": {
"n" : {
"description" : "",
"type" : "INT"
},
"st" : {
"description" : "",
"type" : "STRING",
"size" : "n"
},
"d" : {
"description" : "",
"type" : "FLOAT",
"start" : 0
},
"array" : {
"description" : "",
"type" : "ARRAY",
"size" : "n",
"item-type" : "INT"
},
"matrix" : {
"description" : "",
"type" : "MATRIX",
"row" : 2,
"col" : "n",
"item-type" : "INT"
}
},
"default": {
"n" : 4,
"arr" : [4,3,1,5],
"st" : "helo",
"d" : 9.12,
"matrix" : [
[1,2,4,3],
[3,4,1,1]
]
},
"description": "template"
}
Changes in CLI
- The
configure
method should be renamed toconnect
- Making the programmer create the config.json will add more to the programmer
- add a new
configure
command to CLI which provides a user-friendly interface that the programmer can use to quickly make his config.json.
Security Checklist
- The only imports accepted must be from
ARgorithmToolkit
import ARgorithmToolkit
from ARgorithmToolkit import *
- The objects that can be globally accessed in the server argorithm code should not be referenced
A new submodule security.py
will contain all functions necessary for examining programmer code for possible harmful code injection so that it can be again utilised at server side