Skip to content

PEP 768: Flesh out the security design #4169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pablogsal merged 4 commits into from
Dec 14, 2024
Merged

PEP 768: Flesh out the security design #4169

pablogsal merged 4 commits into from
Dec 14, 2024

Conversation

@godlygeek
Copy link
Contributor

@godlygeek godlygeek commented Dec 13, 2024
edited by github-actions bot
Loading

Switch from a buffer containing Python code to a buffer containing the path to a file containing Python code. This helps to prevent an attacker with arbitrary memory write capabilities inside a running Python process from also gaining arbitrary code execution if they don't already have the ability to write to the file system.

Also, indicate that we will send a new audit event whenever this interface is used, so that any attacker who uses it risks detection.

📚 Documentation preview 📚: https://pep-previews--4169.org.readthedocs.build/

@godlygeek
PEP 768: Flesh out the security design
25d1e93 
Switch from a buffer containing Python code to a buffer containing the
path to a file containing Python code. This helps to prevent an attacker
with arbitrary memory write capabilities inside a running Python process
from also gaining arbitrary code execution if they don't already have
the ability to write to the file system.

Also, indicate that we will send a new audit event whenever this
interface is used, so that any attacker who uses it risks detection.

Signed-off-by: Matt Wozniski <mwozniski@bloomberg.net>
@godlygeek godlygeek requested a review from pablogsal as a code owner December 13, 2024 23:08
@godlygeek
Correct call to PySys_Audit
f44aa3e 
Signed-off-by: Matt Wozniski <mwozniski@bloomberg.net>
@pablogsal
Copy link
Member

pablogsal commented Dec 14, 2024

@godlygeek we need to update the "Using a path as the debugger input" to contain the reverse: using a script as the debugger input :)

@godlygeek
Update the Rejected Ideas section
ad12372 
Signed-off-by: Matt Wozniski <godlygeek@gmail.com>
@godlygeek
Copy link
Contributor Author

godlygeek commented Dec 14, 2024

Good call, fixed.

@godlygeek
Improve subsection title
099fcb1 
Signed-off-by: Matt Wozniski <godlygeek@gmail.com>
@pablogsal pablogsal merged commit f8b3777 into python:main Dec 14, 2024
5 checks passed
@pablogsal
Copy link
Member

pablogsal commented Dec 14, 2024

CC @zooba After investigating a bit we have switched the design from a buffer holding the code to a buffer holding the path to elevate the security profile of in process threats so an attacker with write memory access doesn't automatically gain execution access.

@zooba
Copy link
Member

zooba commented Dec 16, 2024

Of course I see this comment after I review the other PR and complain about mentioning files 😆

This is a fine change. Make sure in the implementation that open_code is used to read the file (PyOS_OpenCode IIRC? Or maybe there's no C API for it....)

@pablogsal
Copy link
Member

pablogsal commented Dec 16, 2024

This is a fine change. Make sure in the implementation that open_code is used to read the file (PyOS_OpenCode IIRC? Or maybe there's no C API for it....)

We will figure it out 👍

@pablogsal
Copy link
Member

pablogsal commented Dec 16, 2024

Ah is https://github.com/python/cpython/blob/47c5a0f307cff3ed477528536e8de095c0752efa/Include/cpython/fileobject.h#L15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pablogsal pablogsal pablogsal approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@godlygeek @pablogsal @zooba