Yes, ou can use `dynamic-require` with a limited code inspector like this: (parameterize ([current-code-inspector (make-inspector)]) (dynamic-require 'untrusted-foo 'foo-provided-name))
At Fri, 22 Oct 2021 12:42:58 -0700 (PDT), "kalime...@gmail.com" wrote: > Thank you! > > Is it possible to safely load untrusted module with dynamic-require? > > пятница, 22 октября 2021 г. в 22:59:57 UTC+5, Robby Findler: > > > On Fri, Oct 22, 2021 at 12:43 PM Matthew Flatt <mfl...@cs.utah.edu> wrote: > > > >> At Thu, 21 Oct 2021 07:37:12 -0700 (PDT), "kalime...@gmail.com" wrote: > >> > I've read about protect-out and current-code-inspector, but I still > >> cannot > >> > understand, how to require a module and forbid it to run protected > >> modules. > >> > > >> > Something like (require untrusted-foo) (foo-proc) but to forbid > >> foo-proc to > >> > use ffi/unsafe. > >> > >> If you use > >> > >> (current-code-inspector (make-inspector)) > >> (require untrusted-foo) > >> > >> > > Just in case: I think Matthew as thinking of two subsequent REPL > > interactions (or calls to eval or suchlike). If you put those two together > > into a file in #lang racket, say, you won't be protected against > > untrusted-foo. > > > > Robby > > > > > >> and assuming that `untrusted-foo` hasn't been loaded earlier, then > >> `untrusted-foo` will not be able to use protected binding. > >> > >> That sequence will also disable the use of protected bindings by > >> anything that `untrusted-foo` depends on and that hasn't already been > >> loaded. So, if you want those dependencies to be able to use untrusted > >> things, you need to load the before `(current-code-inspector > >> (make-inspector))`. > >> > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Racket Users" group. > >> To unsubscribe from this group and stop receiving emails from it, send an > >> email to racket-users...@googlegroups.com. > >> > > To view this discussion on the web visit > >> > https://groups.google.com/d/msgid/racket-users/20211022114302.3e4%40sirmail.smtp > s.cs.utah.edu > >> . > >> > > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email > to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/004de0e0-b25f-4bae-be79-9bdd561a1 > e18n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/20211023102301.11%40sirmail.smtps.cs.utah.edu.
