This package allows to safely evaluate strings in R using something more sophisticated than
code <- "x <- 1"
eval(parse(text = code))
by applying a whitelisting logic. The "whitelist" contains safe commands which won't be able to hurt your system when the code
is sent by a client. This package was developed for usage in a shiny web application that aims to give users access to an editor where they can execute R scripts on a server. In order to secure the server, this package is supposed to be used in the future.
## install from github
devtools::install_github("GregorDeCillia/kasper")
Create a new evaluator with evaluator$new()
. This will initialize a new evaluator object.
library(kasper)
myEvaluator <- evaluator$new()
The evaluator object has a method eval()
, which evaluates R code passed as a string or as an expression.
myEvaluator$eval({
x <- 1; x <- x + 1; x; x - 1
})
There are no outputs? Don't worry they are all captured in the myEvaluator
object and can be retrieved with replay()
. The method is named after the underlying function evaluate::replay
which was developed by the r-lib
organization.
myEvaluator$replay()
## > x <- 1
## > x <- x + 1
## > x
## [1] 2
## > x - 1
## [1] 1
If your R code contains any errors, error messages will be returned by the replay()
method. This does not interrupt the evaluation.
myEvaluator$eval({ y; 2 + 2 })
myEvaluator$replay()
## > y
## Error in eval(expr, envir, enclos): object 'y' not found
## > 2 + 2
## [1] 4
An error also occurs if the user try to perform anything that is not whitelisted. Functions like system()
are not available and treated as though they do not exist.
myEvaluator$eval("system('mkdir testdir')")
myEvaluator$replay()
## > system('mkdir testdir')
## Error in system("mkdir testdir"): could not find function "system"
To display all whitelisted commands, use getWhiteList()
.
head(myEvaluator$getWhiteList())
## [1] "%/%" ":" "log" "%%" "logical" "<"
The evaluator can add minimal support for dplyr
operations by setting the dplyr
flag to TRUE
.
myEvaluator <- evaluator$new(dplyr = TRUE)
myEvaluator$eval({
data.frame(a = 1:4, b = letters[1:4]) %>% filter(a < 3)
})
myEvaluator$replay()
## > data.frame(a = 1:4, b = letters[1:4]) %>% filter(a < 3)
## a b
## 1 1 a
## 2 2 b
- See https://github.com/rapporter/sandboxR for an evaluator that uses a blacklisting logic to safely evaluate R expressions.
- See https://github.com/jeroen/RAppArmor for a package that relies on AppArmor to provide protection for Linux systems.