Python has become wildly popular in a number of fields, one of which is (chat)bots. Finally, I couldn't resist the urge to write one myself. I wouldn't be myself if it did not involve some dangerous challenge. That's why I challenged myself to write a Discord bot, that lets users run snippets of python code, on my machine.
This was the easy part. After kickstarting my Discord bot knowledge by watching Sentdex' series on YouTube, I managed to throw together a quick bot. Of course, this was still very bare-bones, with only 2 functions: reporting some information about the bot and telling the user they called a bot command. After confirming it worked properly with Discord, it was time to start the fun part.
As you might have heard, using eval in Python is considered to be very dangerous. eval lets you run
arbitrary Python code, pretty much without restrictions. Since I am going to be executing code put in by
strangers on the internet, this was obviously NOT the way to go. But WHY is this not how you should do
it, and HOW can we make it "safe"?
Well, I immediately thought of those scary modules called sys and os. Surely, if you were to wreak
havoc, you'd use one of those, right? So I set out to compile a list of "trusted" modules, like math
and re. After I had made a list of all modules I would allow to be included, I realized something
else: __builtins__ are a thing. More specifically, __module__() came to mind. Reason enough for me
to abandon this train of thought.
One thing you should always keep in mind when programming is that you're (probably) not the first one
to tackle some problem. I reckoned this was a case of "don't reinvent the wheel', so after breaking my
head on how to make a sandbox environment for Python, I took a relaxing stroll on the Internet. There
I found something that confirmed my suspicion, that something is called pysandbox. This naturally
intrigued me, but after reading the GitHub page, I was left empty-handed. The author of pysandbox found
that it is virtually impossible to achieve a true sandbox environment in Python.
Then, I felt like I stumbled upon the holy grail: "Secure Low Overhead Eval Sandbox In 80 Lines Of Python".
It both offered me the pleasure of learning about seccomp, and a possible solution. However, while being a great
learning experience, I could not get it to work just right. Needless to say I was a bit bummed about this,
so I got to work on the frontend a bit more. At this point, the user can submit code and
get somewhat relevant information back if there was no code/the codeblock was not detected.
As I said earlier, I followed a tutorial by Sentdex to get started. Turns out he has a wonderful
Discord server! After complaining about how I am stuck, Daniel Kukiela, on of the admins, recommended
firejail to me. As much as the name intrigued me, I had no idea what it was or how to use it, so
I set sail yet again to read some documentation. This time it seemed to work fairly well. Except from
the usual hassle, getting it to work properly went surprisingly smooth, and after testing the bot,
I felt like this journey is coming to an end.
No meal is complete with some sweet side dishes, and neither is this bot. Adding some extra functionality for the end-user is never a bad idea (unless you don't get paid for it, but I get paid in experience). Having the code neatly organized is also not a bad idea, so I thought I'd clean up the code I have thus far before rounding it up with some other tools for the end user.
TO BE CONTINUED
Taps Foot