Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Gwern Branwen <gwern0 <at> gmail.com>
Subject: ANN: Mueval 0.21
Newsgroups: gmane.comp.lang.haskell.cafe
Date: Saturday 14th June 2008 12:30:12 UTC (over 9 years ago)
Hiya everyone. I'd like to announce the release of a little CLI program I
whipped up. It's called mueval <http://hackage.haskell.org/cgi-bin/hackage-scripts/package/mueval>.

WHAT:
Mueval grew out of my discontent with Lambdabot: it's really neat to be
able to run expressions like this:

07:53 < ivanm> > filter (\ x -> isLetter x || x == '\t') "asdf$#$     dfs"
07:55 < lambdabot>  "asdfdfs"

But lambdabot is crufty and very difficult to install or run. IMO, we need
a replacement or rewrite, but one of the things that make this difficult is
that lambdabot uses hs-plugins to get that sort of evaluation
functionality, and hs-plugins is half the problem. We want some sort of
standalone executable which provides that functionality. Now, 'ghc -e' is
obviously unsuited because there is no sandboxing, so what I've done is
basically marry the GHC API (as rendered less sharp-edged by Hint) with a
bunch of resource limits and sandboxing (as largely stolen from lambdabot).

EXAMPLES:
The end result is an adorable little program, which you can use like this:

 bash-3.2$ mueval --expression '1*100+1'
 Expression type: (Num t) => t
 result: "101"

 bash-3.2$ mueval --expression "filter (\`notElem\` ['A'..'Z'])
\"abcXsdzWEE\""
 Expression type: [Char]
 result: "\"abcsdz\""

Note that mueval will avoid all the attacks I've been able to test on it:

 bash-3.2$ mueval --expression 'let x = x in x'
 Expression type: t
 result: "mueval: Time limit exceeded

 bash-3.2$ mueval --expression "let foo = readFile \"/etc/passwd\" >>=
print in foo"
 Expression type: IO ()
 result: ""

 bash-3.2$ mueval --module System.IO.Unsafe --expression "let foo =
unsafePerformIO readFile \"/etc/passwd\" in foo"
 mueval: Unknown or untrusted module supplied! Aborting.


SUMMARY:
Anyway, it's my hope that this will be useful as an example or useful in
itself for people endeavouring to fix the lambdabot situation or just in
safely running code period.

GETTING:
You can download mueval at the usual place: <http://hackage.haskell.org/cgi-bin/hackage-scripts/package/mueval>.
(There will probably be a darcs repository at some point.)

-----
TODO:
Mueval isn't feature-complete yet. The last thing I want to add is an
ability to change the current user to 'mubot', which presumably the user
will have set up to have access to next to nothing much like is already
often done with daemons, but I haven't been able to figure out how to do
this - the only suitable function I've found is 'setUID', and that requires
one to be root...

--
gwern
SHA Fetish Ceridian Eurosat munitions MCI spies 26 M.P.R.I. ISN
 
CD: 2ms