验证从Jython编译的Java类的安全性
[英]Verify safety of Java classes compiled from Jython
问题描述
Background 
背景
I am assisting in the building of a web based interface to program simple AI, which play games and compete against other AI. 我正在协助构建基于Web的界面,以对简单的AI进行编程,从而可以玩游戏并与其他AI竞争。
One of the main requirements of the system is that user submitted code is verified to be safe to run on the server. 系统的主要要求之一是验证用户提交的代码可以在服务器上安全运行。 Ie, if the submitted code accesses the file system, we need to reject the submission. 也就是说,如果提交的代码访问文件系统,我们需要拒绝提交。
Currently, the system runs using Java as a submission language, and performs byte-code analysis to check classes used by the submitted code against a white-list. 当前,该系统使用Java作为提交语言运行,并执行字节码分析以对照白名单检查提交的代码使用的类。 If the submission uses classes which are not allowed, the submission is rejected. 如果提交使用不允许的类,则提交被拒绝。
I am currently exploring our options for supporting submissions in Python, which (using the Jython library) are converted into a Java class that runs against the existing system. 我目前正在探索支持使用Python提交的选项,这些选项(使用Jython库)被转换为可在现有系统上运行的Java类。
I have run into some issues, which involve the Java-compiled Python code. 我遇到了一些问题,其中涉及Java编译的Python代码。 Namely, a simple Python script (once compiled to Java), doing no more than variable assignments appears to use the same classes as a Python class that reads and writes files. 即,一个简单的Python脚本(一旦编译为Java),仅执行变量分配,似乎使用与读取和写入文件的Python类相同的类。 This means that I can't tell (based on classes used) whether or not the file system will be accessed. 这意味着我无法(基于使用的类)判断是否将访问文件系统。
Questions 问题
Does the compilation of Python code into a Java object using the Jython libraries simply wrap the code into a class that calls a Python interpreter and executes the Python code? 使用Jython库将Python代码编译为Java对象是否只是将代码包装到一个调用Python解释器并执行Python代码的类中? (If so, byte code analysis is not the solution to the problem explained above). (如果是这样,字节码分析将不能解决上述问题)。
If the Jython libraries do actually create a true Java object, that doesn't call a Python interpreter when running, how can I analyse whether or not the object is attempting to access the file system? 如果Jython库确实创建了一个真正的Java对象,该对象在运行时不会调用Python解释器,那么我如何分析该对象是否正在尝试访问文件系统?
1 个解决方案
解决方案1
0 2014-08-04 05:28:10
Is Jython the same language as Python?
Yes.
https://wiki.python.org/jython/JythonFaq/GeneralInfo https://wiki.python.org/jython/JythonFaq/GeneralInfo
So no need to worry about calling external python interpreter. 因此,无需担心调用外部python解释器。
To solve problems with code checking, you can try this http://blog.datenwerke.net/p/the-java-sandbox.html Documentation has good samples of how to use it http://blog.datenwerke.net/p/java-sandbox-03-documentation.html 要解决代码检查方面的问题,您可以尝试以下方法: http://blog.datenwerke.net/p/the-java-sandbox.html文档提供了有关如何使用它的良好示例http://blog.datenwerke.net/p /java-sandbox-03-documentation.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.