Skip to content

feat(confmanager): Added ZMS.input.exec.restrict #431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cmeier76 wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(confmanager): Added ZMS.input.exec.restrict #431

cmeier76 wants to merge 6 commits into from

Conversation

@cmeier76
Copy link
Member

@cmeier76 cmeier76 commented Oct 13, 2025

On discussing and reverting #430 (comment) we suggest these further actions - but we are unsure whether it has unintended consequences. What do you think...?! cc/ @OscarMeier

@cmeier76 cmeier76 requested review from drfho and zmsdev October 13, 2025 18:51
@cmeier76
Copy link
Member Author

cmeier76 commented Oct 14, 2025
edited
Loading

@drfho & @OscarMeier As discussed earlier today I introduced a new conf property ZMS.keywords.prevent in e02b822

It preserves handling in standard.dt_exec (conf property with restricted keywords are optional) and it is required to use the new standard.get_env wrapper method (setting of conf property is mandatory for the given context).

@cmeier76 cmeier76 changed the title fix(standard): Avoid conf calls in dt_exec feat(confmanager): Added ZMS.keywords.prevent Oct 14, 2025
@cmeier76 cmeier76 force-pushed the avoid-conf-calls-in-dt-exec branch 2 times, most recently from 274134a to a8f1f87 Compare October 14, 2025 11:14
@cmeier76
feat(confmanager): Added ZMS.keywords.prevent
e02b822 
Prevent usage of these keywords on standard.dt_exec or standard.get_env
@cmeier76 cmeier76 force-pushed the avoid-conf-calls-in-dt-exec branch from a8f1f87 to e02b822 Compare October 14, 2025 12:32
@cmeier76
refact(standard): Extracted check_prevented_keywords
bafe60e 
This limits the check to actual code execution.
@cmeier76 cmeier76 force-pushed the avoid-conf-calls-in-dt-exec branch from 6b3fb9a to bafe60e Compare October 14, 2025 13:37
drfho
drfho requested changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@drfho drfho left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, according to "Restricted Python" we may choose a similar term, because the approach has a similar goal: preventing code executions by defining restricted function names. Moreover there is a term "input" qualifying confproperties, dealing with user-entries.
Putting it together the terminology might be:

  1. ZMS.input.exec.restrict
  2. check_restricted_inputs(context, value, can_ignore)

The param 'can_ignore' is a doubled negation? ignore restriction vs. forcing the restriction? If the confprop ist not available, its restriction shall be forced, right? Why not give a default here, like check_restricted_inputs(context, value, force_restriction=False)

@cmeier76 cmeier76 requested a review from drfho October 14, 2025 17:16
@cmeier76 cmeier76 changed the title feat(confmanager): Added ZMS.keywords.prevent feat(confmanager): Added ZMS.input.exec.restrict Oct 14, 2025
@cmeier76 cmeier76 marked this pull request as ready for review October 14, 2025 17:20
drfho
drfho approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@drfho drfho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Hint:
The new error may have devastating effects on the content stream. So the standard-template of the concerned object may need some exeption handling for giving a polite feedback ;-)

image

@cmeier76
Copy link
Member Author

cmeier76 commented Oct 14, 2025

Hint: The new error may have devastating effects on the content stream. So the standard-template of the concerned object may need some exeption handling for giving a polite feedback ;-)

@drfho I would have expected the message and traceback from the raise exception - as seen in my tests:

Screenshot 2025-10-14 at 22 28 44

@cmeier76 cmeier76 marked this pull request as draft October 20, 2025 18:41
@cmeier76 cmeier76 requested a review from drfho October 20, 2025 18:50
@cmeier76 cmeier76 marked this pull request as ready for review October 20, 2025 18:51
@cmeier76 cmeier76 force-pushed the avoid-conf-calls-in-dt-exec branch from 558eeca to 36d1acc Compare October 20, 2025 19:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmsdev zmsdev Awaiting requested review from zmsdev

@drfho drfho Awaiting requested review from drfho

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cmeier76 @drfho