jeans/core
jeans/core
1
0
Fork 0
mirror of https://github.com/home-assistant/core.git synced 2025-07-27 23:27:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restrict Python Script (#8053)

Browse Source
This commit is contained in:
Paulus Schoutsen 2017-06-15 22:13:10 -07:00 committed by GitHub
parent c478f2c7d0
commit 74cc675a38
2 changed files with 77 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
homeassistant/components/python_script.py
View File

@ -5,6 +5,9 @@ import logging
import voluptuous as vol import voluptuous as vol
from homeassistant.exceptions import HomeAssistantError
from homeassistant.util import sanitize_filename
DOMAIN = 'python_script' DOMAIN = 'python_script'
REQUIREMENTS = ['restrictedpython==4.0a2'] REQUIREMENTS = ['restrictedpython==4.0a2']
FOLDER = 'python_scripts' FOLDER = 'python_scripts'
@ -14,6 +17,18 @@ CONFIG_SCHEMA = vol.Schema({
DOMAIN: vol.Schema(dict) DOMAIN: vol.Schema(dict)
}, extra=vol.ALLOW_EXTRA) }, extra=vol.ALLOW_EXTRA)
ALLOWED_HASS = set(['bus', 'services', 'states'])
ALLOWED_EVENTBUS = set(['fire'])
ALLOWED_STATEMACHINE = set(['entity_ids', 'all', 'get', 'is_state',
'is_state_attr', 'remove', 'set'])
ALLOWED_SERVICEREGISTRY = set(['services', 'has_service', 'call'])
class ScriptError(HomeAssistantError):
"""When a script error occurs."""
pass
def setup(hass, config): def setup(hass, config):
"""Initialize the python_script component.""" """Initialize the python_script component."""
@ -23,21 +38,27 @@ def setup(hass, config):
_LOGGER.warning('Folder %s not found in config folder', FOLDER) _LOGGER.warning('Folder %s not found in config folder', FOLDER)
return False return False
def service_handler(call): def python_script_service_handler(call):
"""Handle python script service calls.""" """Handle python script service calls."""
filename = '{}.py'.format(call.service) execute_script(hass, call.service, call.data)
with open(hass.config.path(FOLDER, filename)) as fil:
execute(hass, filename, fil.read(), call.data)
for fil in glob.iglob(os.path.join(path, '*.py')): for fil in glob.iglob(os.path.join(path, '*.py')):
name = os.path.splitext(os.path.basename(fil))[0] name = os.path.splitext(os.path.basename(fil))[0]
hass.services.register(DOMAIN, name, service_handler) hass.services.register(DOMAIN, name, python_script_service_handler)
return True return True
def execute(hass, filename, source, data): def execute_script(hass, name, data=None):
"""Execute a script.""" """Execute a script."""
filename = '{}.py'.format(name)
with open(hass.config.path(FOLDER, sanitize_filename(filename))) as fil:
source = fil.read()
execute(hass, filename, source, data)
def execute(hass, filename, source, data=None):
"""Execute Python source."""
from RestrictedPython import compile_restricted_exec from RestrictedPython import compile_restricted_exec
from RestrictedPython.Guards import safe_builtins, full_write_guard from RestrictedPython.Guards import safe_builtins, full_write_guard
@ -52,24 +73,41 @@ def execute(hass, filename, source, data):
_LOGGER.warning('Warning loading script %s: %s', filename, _LOGGER.warning('Warning loading script %s: %s', filename,
', '.join(compiled.warnings)) ', '.join(compiled.warnings))
def protected_getattr(obj, name, default=None):
"""Restricted method to get attributes."""
# pylint: disable=too-many-boolean-expressions
if name.startswith('async_'):
raise ScriptError('Not allowed to access async methods')
elif (obj is hass and name not in ALLOWED_HASS or
obj is hass.bus and name not in ALLOWED_EVENTBUS or
obj is hass.states and name not in ALLOWED_STATEMACHINE or
obj is hass.services and name not in ALLOWED_SERVICEREGISTRY):
raise ScriptError('Not allowed to access {}.{}'.format(
obj.__class__.__name__, name))
return getattr(obj, name, default)
restricted_globals = { restricted_globals = {
'__builtins__': safe_builtins, '__builtins__': safe_builtins,
'_print_': StubPrinter, '_print_': StubPrinter,
'_getattr_': getattr, '_getattr_': protected_getattr,
'_write_': full_write_guard, '_write_': full_write_guard,
} }
logger = logging.getLogger('{}.{}'.format(__name__, filename))
local = { local = {
'hass': hass, 'hass': hass,
'data': data, 'data': data or {},
'logger': logging.getLogger('{}.{}'.format(__name__, filename)) 'logger': logger
} }
try: try:
_LOGGER.info('Executing %s: %s', filename, data) _LOGGER.info('Executing %s: %s', filename, data)
# pylint: disable=exec-used # pylint: disable=exec-used
exec(compiled.code, restricted_globals, local) exec(compiled.code, restricted_globals, local)
except ScriptError as err:
logger.error('Error executing script: %s', err)
except Exception as err: # pylint: disable=broad-except except Exception as err: # pylint: disable=broad-except
_LOGGER.exception('Error executing script %s: %s', filename, err) logger.exception('Error executing script: %s', err)
class StubPrinter: class StubPrinter:

30
tests/components/test_python_script.py
View File

@ -120,4 +120,32 @@ raise Exception('boom')
hass.async_add_job(execute, hass, 'test.py', source, {}) hass.async_add_job(execute, hass, 'test.py', source, {})
yield from hass.async_block_till_done() yield from hass.async_block_till_done()
assert "Error executing script test.py" in caplog.text assert "Error executing script: boom" in caplog.text
@asyncio.coroutine
def test_accessing_async_methods(hass, caplog):
"""Test compile error logs error."""
caplog.set_level(logging.ERROR)
source = """
hass.async_stop()
"""
hass.async_add_job(execute, hass, 'test.py', source, {})
yield from hass.async_block_till_done()
assert "Not allowed to access async methods" in caplog.text
@asyncio.coroutine
def test_accessing_forbidden_methods(hass, caplog):
"""Test compile error logs error."""
caplog.set_level(logging.ERROR)
source = """
hass.stop()
"""
hass.async_add_job(execute, hass, 'test.py', source, {})
yield from hass.async_block_till_done()
assert "Not allowed to access HomeAssistant.stop" in caplog.text