coop-cloud/grist
1
0
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases Wiki Activity

Enable sandboxing by default #3

New Issue
Closed
opened 2024-07-04 18:52:45 +00:00 by iexos · 0 comments
iexos commented 2024-07-04 18:52:45 +00:00
Owner
Copy Link

Grist python formula execution seems to be pretty permissive and doesn't seem to be contained at all. This could be problematic if people share documents in anonymous edit mode. I suggest we should sandbox by default.

See here: https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents

There are two sandboxing options with GRIST_SANDBOX_FLAVOR:

  • gvisor should be faster, but it didn't work out of the box for me
  • pyodite is slower, but works for me well

I suggest enabling pyodite by default as it should work everywhere. It may be slow, but at least doesn't expose unwary operators to security risks. Any thoughts?

Grist python formula execution seems to be pretty permissive and doesn't seem to be contained at all. This could be problematic if people share documents in anonymous edit mode. I suggest we should sandbox by default. See here: https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents There are two sandboxing options with `GRIST_SANDBOX_FLAVOR`: * `gvisor` should be faster, but it didn't work out of the box for me * `pyodite` is slower, but works for me well I suggest enabling `pyodite` by default as it should work everywhere. It may be slow, but at least doesn't expose unwary operators to security risks. Any thoughts?
iexos closed this issue 2024-07-15 15:38:48 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
3wordchant aadil abra-bot ammaratef45 Apfelwurm appletalk arjan basebuilder Brooke carla cas codegod100 coopcloud cyrnel decentral1se fauno flancian Frando iexos jade javielico jmakdah2 joe-irving kawaiipunk knoflook kolaente lambdabundesverband linnealovespie marlon mayel mirsal moritz nicksellen notplants p4u1 pau pharaohgraphy renovate-bot ripclap rix rscmbbng sef simon sixsmith stevensting tobias trav val virtualboys wolcen wykwit xynosis yksflip
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coop-cloud/grist#3
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?