safe console inside a shiny application

1

I am currently developing shiny applications that aim to teach R via interactive courses. For that purpose, I have already worked with multiple-choice questions and free-text questions. Now I want to tackle questions where the users of the app (students) can enter their own R code in a text field and run it.

My current implementation basically uses eval inside an observer.

## evaluate the users expression and store the results.

observeEvent(input$evluate, {

  reactives$result <- eval(parse(text = input$console_in))

})

This implementation has serious drawbacks when it comes to security since users can insert and run arbitrary codes on the server.

• What are the best practices to make the console safer?


• How should the working directory be specified during the evaluation?

It is planned to release an open-source version of this software at some point. Therefore, I would prefer a solution which is not platform dependent and which doesn't complicate the deployment of the application.

r security shiny

share|improve this question

edited Jan 2 at 17:26

Gregor de Cillia

asked Jan 1 at 22:08

Gregor de CilliaGregor de Cillia

4,0341923

add a comment | 

1

I am currently developing shiny applications that aim to teach R via interactive courses. For that purpose, I have already worked with multiple-choice questions and free-text questions. Now I want to tackle questions where the users of the app (students) can enter their own R code in a text field and run it.

My current implementation basically uses eval inside an observer.

## evaluate the users expression and store the results.

observeEvent(input$evluate, {

  reactives$result <- eval(parse(text = input$console_in))

})

This implementation has serious drawbacks when it comes to security since users can insert and run arbitrary codes on the server.

• What are the best practices to make the console safer?


• How should the working directory be specified during the evaluation?

It is planned to release an open-source version of this software at some point. Therefore, I would prefer a solution which is not platform dependent and which doesn't complicate the deployment of the application.

r security shiny

share|improve this question

edited Jan 2 at 17:26

Gregor de Cillia

asked Jan 1 at 22:08

Gregor de CilliaGregor de Cillia

4,0341923

add a comment | 

1

1

1

1

I am currently developing shiny applications that aim to teach R via interactive courses. For that purpose, I have already worked with multiple-choice questions and free-text questions. Now I want to tackle questions where the users of the app (students) can enter their own R code in a text field and run it.

My current implementation basically uses eval inside an observer.

## evaluate the users expression and store the results.

observeEvent(input$evluate, {

  reactives$result <- eval(parse(text = input$console_in))

})

This implementation has serious drawbacks when it comes to security since users can insert and run arbitrary codes on the server.

• What are the best practices to make the console safer?


• How should the working directory be specified during the evaluation?

It is planned to release an open-source version of this software at some point. Therefore, I would prefer a solution which is not platform dependent and which doesn't complicate the deployment of the application.

r security shiny

share|improve this question

edited Jan 2 at 17:26

Gregor de Cillia

asked Jan 1 at 22:08

Gregor de CilliaGregor de Cillia

4,0341923

I am currently developing shiny applications that aim to teach R via interactive courses. For that purpose, I have already worked with multiple-choice questions and free-text questions. Now I want to tackle questions where the users of the app (students) can enter their own R code in a text field and run it.

My current implementation basically uses eval inside an observer.

## evaluate the users expression and store the results.

observeEvent(input$evluate, {

  reactives$result <- eval(parse(text = input$console_in))

})

This implementation has serious drawbacks when it comes to security since users can insert and run arbitrary codes on the server.

• What are the best practices to make the console safer?


• How should the working directory be specified during the evaluation?

It is planned to release an open-source version of this software at some point. Therefore, I would prefer a solution which is not platform dependent and which doesn't complicate the deployment of the application.

r security shiny

r security shiny

share|improve this question

edited Jan 2 at 17:26

Gregor de Cillia

asked Jan 1 at 22:08

Gregor de CilliaGregor de Cillia

4,0341923

share|improve this question

edited Jan 2 at 17:26

Gregor de Cillia

asked Jan 1 at 22:08

Gregor de CilliaGregor de Cillia

4,0341923

share|improve this question

share|improve this question

edited Jan 2 at 17:26

Gregor de Cillia

edited Jan 2 at 17:26

Gregor de Cillia

edited Jan 2 at 17:26

Gregor de Cillia

asked Jan 1 at 22:08

Gregor de CilliaGregor de Cillia

4,0341923

asked Jan 1 at 22:08

Gregor de CilliaGregor de Cillia

4,0341923

asked Jan 1 at 22:08

Gregor de CilliaGregor de Cillia

4,0341923

4,0341923

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

1

For evaluating arbitrary code, I like the whitelisting approach where you put all known and safe functions in an empty environment to be evaluated in. I think that's the simple and easy solution vs. blacklisting functions or trying to sandbox outside of R. Here's a much better answer with examples: Safely evaluating arithmetic expressions in R?

Alternatively, here's a POC package that takes a blacklisting approach: https://github.com/Rapporter/sandboxR

All other sandboxing methods I can think of are Linux specific. There's https://github.com/jeroen/RAppArmor which uses AppArmor to sandbox at the OS level. And then using Docker or Linux containers to run sandboxed code.

share|improve this answer

answered Jan 2 at 14:59

greg Lgreg L

2,41911013

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you very much. For some reason I was just thinking about blacklisting and sandboxing but the whitelist approach seems best for my usecase. Since the apps are pedagogic, I don't mind limiting my users to a hand-selected set of functions and this security-layer seems really hard to get around.
  
  – Gregor de Cillia
  Jan 2 at 17:29
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53999325%2fsafe-console-inside-a-shiny-application%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

1

For evaluating arbitrary code, I like the whitelisting approach where you put all known and safe functions in an empty environment to be evaluated in. I think that's the simple and easy solution vs. blacklisting functions or trying to sandbox outside of R. Here's a much better answer with examples: Safely evaluating arithmetic expressions in R?

Alternatively, here's a POC package that takes a blacklisting approach: https://github.com/Rapporter/sandboxR

All other sandboxing methods I can think of are Linux specific. There's https://github.com/jeroen/RAppArmor which uses AppArmor to sandbox at the OS level. And then using Docker or Linux containers to run sandboxed code.

share|improve this answer

answered Jan 2 at 14:59

greg Lgreg L

2,41911013

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you very much. For some reason I was just thinking about blacklisting and sandboxing but the whitelist approach seems best for my usecase. Since the apps are pedagogic, I don't mind limiting my users to a hand-selected set of functions and this security-layer seems really hard to get around.
  
  – Gregor de Cillia
  Jan 2 at 17:29
  

  
  
  
  

add a comment | 

1

For evaluating arbitrary code, I like the whitelisting approach where you put all known and safe functions in an empty environment to be evaluated in. I think that's the simple and easy solution vs. blacklisting functions or trying to sandbox outside of R. Here's a much better answer with examples: Safely evaluating arithmetic expressions in R?

Alternatively, here's a POC package that takes a blacklisting approach: https://github.com/Rapporter/sandboxR

All other sandboxing methods I can think of are Linux specific. There's https://github.com/jeroen/RAppArmor which uses AppArmor to sandbox at the OS level. And then using Docker or Linux containers to run sandboxed code.

share|improve this answer

answered Jan 2 at 14:59

greg Lgreg L

2,41911013

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you very much. For some reason I was just thinking about blacklisting and sandboxing but the whitelist approach seems best for my usecase. Since the apps are pedagogic, I don't mind limiting my users to a hand-selected set of functions and this security-layer seems really hard to get around.
  
  – Gregor de Cillia
  Jan 2 at 17:29
  

  
  
  
  

add a comment | 

1

1

1

For evaluating arbitrary code, I like the whitelisting approach where you put all known and safe functions in an empty environment to be evaluated in. I think that's the simple and easy solution vs. blacklisting functions or trying to sandbox outside of R. Here's a much better answer with examples: Safely evaluating arithmetic expressions in R?

Alternatively, here's a POC package that takes a blacklisting approach: https://github.com/Rapporter/sandboxR

All other sandboxing methods I can think of are Linux specific. There's https://github.com/jeroen/RAppArmor which uses AppArmor to sandbox at the OS level. And then using Docker or Linux containers to run sandboxed code.

share|improve this answer

answered Jan 2 at 14:59

greg Lgreg L

2,41911013

For evaluating arbitrary code, I like the whitelisting approach where you put all known and safe functions in an empty environment to be evaluated in. I think that's the simple and easy solution vs. blacklisting functions or trying to sandbox outside of R. Here's a much better answer with examples: Safely evaluating arithmetic expressions in R?

Alternatively, here's a POC package that takes a blacklisting approach: https://github.com/Rapporter/sandboxR

All other sandboxing methods I can think of are Linux specific. There's https://github.com/jeroen/RAppArmor which uses AppArmor to sandbox at the OS level. And then using Docker or Linux containers to run sandboxed code.

share|improve this answer

answered Jan 2 at 14:59

greg Lgreg L

2,41911013

share|improve this answer

share|improve this answer

answered Jan 2 at 14:59

greg Lgreg L

2,41911013

answered Jan 2 at 14:59

greg Lgreg L

2,41911013

answered Jan 2 at 14:59

greg Lgreg L

2,41911013

2,41911013

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you very much. For some reason I was just thinking about blacklisting and sandboxing but the whitelist approach seems best for my usecase. Since the apps are pedagogic, I don't mind limiting my users to a hand-selected set of functions and this security-layer seems really hard to get around.
  
  – Gregor de Cillia
  Jan 2 at 17:29
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you very much. For some reason I was just thinking about blacklisting and sandboxing but the whitelist approach seems best for my usecase. Since the apps are pedagogic, I don't mind limiting my users to a hand-selected set of functions and this security-layer seems really hard to get around.
  
  – Gregor de Cillia
  Jan 2 at 17:29
  

  
  
  
  

Thank you very much. For some reason I was just thinking about blacklisting and sandboxing but the whitelist approach seems best for my usecase. Since the apps are pedagogic, I don't mind limiting my users to a hand-selected set of functions and this security-layer seems really hard to get around.

– Gregor de Cillia
Jan 2 at 17:29

Thank you very much. For some reason I was just thinking about blacklisting and sandboxing but the whitelist approach seems best for my usecase. Since the apps are pedagogic, I don't mind limiting my users to a hand-selected set of functions and this security-layer seems really hard to get around.

– Gregor de Cillia
Jan 2 at 17:29

add a comment | 

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53999325%2fsafe-console-inside-a-shiny-application%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

This page is only for reference, If you need detailed information, please check here