You may want to be able to set a time or space limit for each statement? Also a try. catch. On Nov 28, 2013 4:20 AM, "Devon McCormick" <[email protected]> wrote:
> I haven't yet put it up on the J wiki, but we had a segment at this month's > NYCJUG about generating random J phrases. I won't go into the why and how > but here's some things I uncovered with this exercise. > > DON'T TRY THIS AT HOME > ==================== > If you want to use up all your memory, you may be able to do this (on a 3 > GB RAM machine): > > *.^:x:23 > > but this probably will not work > > *.^:x:24 > > and this won't (unless - maybe - you have more than 16GB): > > *.^:x:29 > > If you look at the shape of this expression with a number smaller than 23, > you'll get an idea of what the problem is. > > Don't try these at all: > > _.*.1 > 1:H.0:_. > *f.H.1:_. > 1:H.}:_. > ,:/a. > > (these all lock up J so that it has to be killed or eventually use up all > memory, at least on the two or three machines where I've tried it). > > I have a longer list of valid - but very bad - J phrases that I have to > filter out from my randomly-generated phrases but this will have to wait > until I have time to put up the longer essay. In any case, there are > potentially dangerous J phrases you may not be able to filter out. > > > > On Wed, Nov 27, 2013 at 2:22 PM, Pascal Jasmin <[email protected] > >wrote: > > > I'm not positive what you mean, > > > > w rexec 'do_z_';2;3;4 > > ┌─┬───────────────────────────────────────────────────────────────────┐ > > │4│|ill-formed name: do_z__testcommands_ | w rexec'do_z_';2;3;4 │ > > └─┴───────────────────────────────────────────────────────────────────┘ > > > > the sanitize function picks the first word (;:) from cmd. As long as the > > "whitelist" provided by the testcommands locale does not include > something > > like do or memw, then I don't think its possible to run a locative (?) > > > > I did find an error in sanitize, which assumed cmd is a string. Easiest, > > atm, to preguard for that. > > > > w rexec 2;3;4 > > |domain error: sanitize > > | w rexec 2;3;4 > > > > > > ________________________________ > > From: Henry Rich <[email protected]> > > To: [email protected] > > Sent: Wednesday, November 27, 2013 1:11:57 PM > > Subject: Re: [Jprogramming] safe remote execution > > > > > > What stops cmd from being a locative? > > > > Henry Rich > > > > > > On 11/27/2013 10:37 AM, Pascal Jasmin wrote: > > > These routines should allow for "safe" remote code execution from a not > > completely trusted user, but I am posting here in case I missed anything. > > Safe means should not crash, and should not execute any command outside > the > > sandbox locale. User passes a noun that consists of 'cmd';monadic y > > arguments (maybe multiple boxes). > > > > > > mkerr_z_ =: ((0&;)@:) ( :: ((13!:11 ; 13!:12)@:(''"_))) > > > chkerr_z_ =: ;@:}. ^:(0 = >@{.) > > > sanitize_z_ =: (0&pick)@:;: > > > > > > > > > rexec_z_ =: (sanitize@:>@{.@:] loc [) apply mkerr }.@:] > > > > > > cocurrent 'testcommands' > > > (18!:5 '') 18!:2 ] 18!:5 '' NB. removes _z_ > > > double =: +:@:; > > > echo =: ] > > > > > > in immediate window, (or use cocurrent 'base' if typed above > > > > > > w =. <'testcommands' > > > > > > > > > w rexec 'double';2;3;4 > > > ┌─┬─────┐ > > > │0│4 6 8│ > > > └─┴─────┘ > > > chkerr w rexec 'double';2;3;4 > > > 4 6 8 > > > > > > w rexec 'do_z';2;3;4 > > > ┌──┬─────────────────────────────────────────────────────┐ > > > │21│|value error: do_z_testcommands_ | (<0),<x u y │ > > > └──┴─────────────────────────────────────────────────────┘ > > > > > > any improvements or security failure? > > > > > > Note the first line of 'testcommands' locale, is there a way to set the > > search path to nothing (instead of self as done there) > > > > > > ---------------------------------------------------------------------- > > > For information about J forums see http://www.jsoftware.com/forums.htm > > > > > ---------------------------------------------------------------------- > > For information about J forums see http://www.jsoftware.com/forums.htm > > ---------------------------------------------------------------------- > > For information about J forums see http://www.jsoftware.com/forums.htm > > > > > > -- > Devon McCormick, CFA > ---------------------------------------------------------------------- > For information about J forums see http://www.jsoftware.com/forums.htm ---------------------------------------------------------------------- For information about J forums see http://www.jsoftware.com/forums.htm
