Object-capability security in Racket? - security

Racket's sandbox seems great for running code I don't trust, but I would like to prevent modules that call one another in the sandbox from being able to see or modify one another's internal state, code, or behavior. Right now the best way I can think of to do that is with separate sandboxes and a modified "require" that wraps all exported functions in contracts that create proxies. Is there a better way?

Could you provide a concrete example?
If module A requires module B, then module A can't see inside B.
Module A can use the functions that module B explicitly provided.
Some of these might change internal state in module B.

Related

Languages with a NodeJS/CommonJS style module system

I really like the way NodeJS (and it's browser-side counterparts) handle modules:
var $ = require('jquery');
var config = require('./config.json');
module.exports = function(){};
module.exports = {...}
I am actually rather disappointed by the ES2015 'import' spec which is very similar to the majority of languages.
Out of curiosity, I decided to look for other languages which implement or even support a similar export/import style, but to no avail.
Perhaps I'm missing something, or more likely, my Google Foo isn't up to scratch, but it would be really interesting to see which other languages work in a similar way.
Has anyone come across similar systems?
Or maybe someone can even provide reasons that it isn't used all that often.
It is nearly impossible to properly compare these features. One can only compare their implementation in specific languages. I collected my experience mostly with the language Java and nodejs.
I observed these differences:
You can use require for more than just making other modules available to your module. For example, you can use it to parse a JSON file.
You can use require everywhere in your code, while import is only available at the top of a file.
require actually executes the required module (if it was not yet executed), while import has a more declarative nature. This might not be true for all languages, but it is a tendency.
require can load private dependencies from sub directories, while import often uses one global namespace for all the code. Again, this is also not true in general, but merely a tendency.
Responsibilities
As you can see, the require method has multiple responsibilities: declaring module dependencies and reading data. This is better separated with the import approach, since import is supposed to only handle module dependencies. I guess, what you like about being able to use the require method for reading JSON is, that it provides a really easy interface to the programmer. I agree that it is nice to have this kind of easy JSON reading interface, however there is no need to mix it with the module dependency mechanism. There can just be another method, for example readJson(). This would separate the concerns, so the require method would only be needed for declaring module dependencies.
Location in the Code
Now, that we only use require for module dependencies, it is a bad practice to use it anywhere else than at the top of your module. It just makes it hard to see the module dependencies when you use it everywhere in your code. This is why you can use the import statement only on top of your code.
I don't see the point where import creates a global variable. It merely creates a consistent identifier for each dependency, which is limited to the current file. As I said above, I recommend doing the same with the require method by using it only at the top of the file. It really helps to increase the readability of the code.
How it works
Executing code when loading a module can also be a problem, especially in big programs. You might run into a loop where one module transitively requires itself. This can be really hard to resolve. To my knowledge, nodejs handles this situation like so: When A requires B and B requires A and you start by requiring A, then:
the module system remembers that it currently loads A
it executes the code in A
it remembers that is currently loads B
it executes the code in B
it tries to load A, but A is already loading
A is not yet finished loading
it returns the half loaded A to B
B does not expect A to be half loaded
This might be a problem. Now, one can argue that cyclic dependencies should really be avoided and I agree with this. However, cyclic dependencies should only be avoided between separate components of a program. Classes in a component often have cyclic dependencies. Now, the module system can be used for both abstraction layers: Classes and Components. This might be an issue.
Next, the require approach often leads to singleton modules, which cannot be used multiple times in the same program, because they store global state. However, this is not really the fault of the system but the programmers fault how uses the system in the wrong way. Still, my observation is that the require approach misleads especially new programmers to do this.
Dependency Management
The dependency management that underlays the different approaches is indeed an interesting point. For example Java still misses a proper module system in the current version. Again, it is announced for the next version, but who knows whether this will ever become true. Currently, you can only get modules using OSGi, which is far from easy to use.
The dependency management underlaying nodejs is very powerful. However, it is also not perfect. For example non-private dependencies, which are dependencies that are exposed via the modules API, are always a problem. However, this is a common problem for dependency management so it is not limited to nodejs.
Conclusion
I guess both are not that bad, since each is used successfully. However, in my opinion, import has some objective advantages over require, like the separation of responsibilities. It follows that import can be restricted to the top of the code, which means there is only one place to search for module dependencies. Also, import might be a better fit for compiled languages, since these do not need to execute code to load code.

How to stop two orchard modules conflicting

I have two Orchard Modules.
Both have implementations of IAppSettings , which is defined in an external dll, and referenced in the modules via nuget package (So I cannot use IDependency ).
I wire these up using an Autofac Module class in each module.
Unfortunately this leads to "last registration wins" and both modules will use the last registered implementation, even though the "expected" result would be that each uses their own.
To be clear, each module is developed by a separate team, who don't co-ordinate with each other, but do use the same guidelines for module creation. The example above is just one instance of this occurring, but it is fair to assume there would be more.
How might I go about ensuring that each team can register their own dependencies for their modules, without constantly having to check with the authors of other modules?
There is one Autofac container per tenant, not per (Orchard) modules. You see the implications of this.
However this couldn't be much differently since interaction between modules would be seriously hindered if dependencies would be scoped to extensions.
Also one of the points of DI is that you can override the implementation: this is also desired here, since if you implement a dependency in Module A, then also in Module B (where Module B depends on Module A) then Module B can override the default implementation. This is a good thing.
Instead of wanting to require specific implementations for your interfaces what kind of defeats DI you could implement the strategy pattern for example. But if you tell more details I could help more.

Over-use of require() in node.js, mongoose

I'm new to Node.js, but quite like the module system and require().
That being said, coming from a C background, it makes me uneasy seeing the same module being require()'d everywhere. All in all, it leads me to some design choices that deviate from how things are done in C. For example:
Should I require() mongoose in every file that defines a mongoose model? Or inject a mongoose instance into each file that defines a model.
Should I require() my mongoose models in every module that needs them? Or have a model provider that is passed around and used to provide these models.
Ect. For someone who uses dependency injection a lot - my gut C feeling is telling me to require() a module only once, and pass it around as needed. However, after looking at some open-source stuff, this doesn't seem to be Node way of things. require() does make things super easy..
Does it hurt to overuse this mechanism?
require() caches modules when you use it. When you see the same file or module required everywhere it's only being loaded once, and the stored module.exports is being passed around instead. This means that you can use require everywhere and not worry about performance and memory issues.
As cptroot states requiring a module everywhere you need it instead of passing it around as an argument is safe to do and is also much easier. However, you should view any require call as a hardcoded dependency which you can't change easily. E.g. if you want to mock a module for testing these hardcoded dependencies will hurt.
So passing a module instance around as an argument instead of just requiring it again and again reduces the amount of hardcoded dependencies because you inject this dependency now. E.g. in your tests you will benefit from easily injecting a mock instead.
If you go down this road you will want to use a dependency injection container that helps you injecting all your dependencies and get rid of all hardcoded require calls. To choose a dependency injection container appropriate for your project you should read this excellent article. Also check out Fire Up! which I implemented.

Isolating global changes between modules in node.js

It seems like if I modify, say, Object.prototype, that seems to be visible across all modules. It would be very nice if these global changes could be isolated so that a module is protected from being affected by modules is doesn't require.
Is this in any way possible?
Object.prototype is an object, and there's only one of it, so modifying it in one place affects all references to that object (just like any object). This is generally considered a benefit since it makes modules like colors possible. It shouldn't be necessary protect modules from changes made to global prototypes, since those changes should only be extensions. If your, or someone else's, modules are modifying built-in methods/properties, then that's probably bad practice in the first place.
Although you didn't give an example, I would think you probably want to either create local functions (not attached to the prototype), or look into using inheritance to solve your concerns with specific objects.

Python module get top scope variables

Hey, in my python modules (written in python) I want to be able to access the variables from the top level scope, that is, the file that is calling the modules. How would I go about doing this?
Thanks.
There's no way that will work in all environments, so a precise answer might depend on how you are running your top-level Python code. The best thing to do is to put the variables into an object and pass the object to the functions that need it.
In general, the way to do this is to provide some API to your plugins (e.g. a module that they import) to provide controlled access to the information they need.
If this information may vary by context, and passing in different arguments to a plugin initialisation function isn't appropriate, then an information API that uses threading.local under the covers may be of value.

Resources