How to sanitize user input to prevent Python injection? #91
Comments
|
Hi, thanks for your interest in react-py. This method of capturing user input is a bit of a hack, and is very susceptible as you've pointed out. I've been working on a patch for stdin which will allow pausing code execution to capture user input. This will remove the need for a workaround and will also work for scenarios where you might have input in a loop for example. Due to the complexity of getting this to work with web workers, for multiple instances and designing a nice API, this is taking me a little while to figure out. Here's a preview of a paused script waiting for input:
If you're just wanting to set a global before executing code instead of an interactive approach, this will also be available eventually through getter/setter methods. |
elilambnz
added
documentation
|
Thanks for your reply, makes sense. Some way to pass in globals from JS to Python would be ideal for my use case. Will keep an eye out for that! |
|
this pausing the execution to capture the input is available in the current version? I am in need of it. Just wanted to make sure, before I start working on it |
|
@jothikannan89 pausing execution to capture input is not currently available on the main branch. The method I'm trying relies on using an additional Service Worker (not a Web Worker) to listen for input events. The code is on this branch https://github.com/elilambnz/react-py/tree/stdin-patch specifically in the Please feel free to open a new issue if you plan to work on this and would like to discuss further. |
|
@jothikannan89 the latest version of @holdenmatt support for accessing Python scope is being tracked here #67 |
Hi, I'm starting to use this in a new project, and really like how simple you make it to use pyodide in a React app (nice work!).
One issue I've run into is how to sanitize user input. I have a user-provided string in JS that I want to use as a parameter for a Python function, very similar to your example here:
https://elilambnz.github.io/react-py/docs/examples/user-input#user-input-field
However, the approach you use there is vulnerable to injecting arbitrary code. For example, I can trick it into running arbitrary Python commands in pyodide, like this:
Any recommendation for how to sanitize a string to prevent this?
Another approach might be to expose the
globalsobject from Pyodide, as described here:https://pyodide.org/en/stable/usage/faq.html#how-can-i-execute-code-in-a-custom-namespace
Then variables could be set that way instead of via string concatenation. Sounds like that might already be planned?
The text was updated successfully, but these errors were encountered: