9

In a recent release of blender a safeguard for python scripts has been introduced. This is to prevent python script from doing any damage to the system. Although I doubt that there are any blender users that want to wreck havoc. Blender now has a built in system for protecting against malicious scripts. I do not trust this system though. How can I determine if a python script is hostile manually?

So far this is what I have come up with:

import os there is no reason that a python script for blender needs this module, this allows the user to run cmd/terminal commands.

What other things are there to watch out for?

ideasman42
  • 47,387
  • 10
  • 141
  • 223
Vader
  • 14,680
  • 16
  • 74
  • 110

2 Answers2

11

os isn't the only module that provides functions to remove files from filesystem etc., shutils can be used for such evil things too. Or you could somehow shell-execute system commands to do so.

Module imports can even be camouflaged like this:

evil_module = __import__(chr(int("".join(map(lambda x: str(x), [1]*3)))) + '\x73')

So you won't immediately know what it actually imports (os module in this case).

What is to be seen malicious also depends on your view. Like with any trojan, virus or whatever, they don't necessarily damange your system or delete things. A python script could open a network connection and send spam mails, or transmit information about your machine to an attacker.

There are many possibilities to abuse python, and bpy makes it rather worse - bpy.ops.wm.url_open(url="...") could be used to open a prepared website, that infects you with a drive-by download.

The best protection is it run scripts from trusted sources only.

CodeManX
  • 29,298
  • 3
  • 89
  • 128
  • Thanks for the example CodemanX. Are there any others that you can think of. It would be nice to have a list compiled of anything which may be suspicious. Really, it would be nice if Blender could detect these and show a warning. – MarcClintDion Feb 23 '14 at 22:45
  • I don't think it's possible to define a list of potentially malicious modules, functions etc., just like for virus scanners. You wouldn't want to block I/O for an importer/exporter, but a malicious script may use it to spread itself. There is no absolute security, unless you unplug your computer and never use it. It doesn't make any sense IMO to collect things that could be abused (people are too creative), you would either break good scripts, or inevitably overlook something a bad script makes use of. – CodeManX Feb 24 '14 at 00:37
  • Alright, so I agree with a lot of that but there would have to be a pretty good reason for scripts to have the ability to delete files on the HD. That to me is something people should be aware of if it exists. Another one would be network access. To my thinking, Python interfaces should have no concept of either of these two ideas. These two things combined could destroy a lot of computers. There is no reason for this threat to even be in Blender. There is a very good reason why Windows OS has proven so unsecure and it's all the software that has these vulnerability built in. – MarcClintDion Feb 24 '14 at 05:03
  • It's not just Blender users that are a problem. If people who like to target other peoples machines with malicious code have a way to use Blender installations as a site of venerability then they will certainly exploit this. If you leave the front door of your house open when you are not there then people will go into your house and take things. That is unfortunately the way the world is. Anything features like this should be set to 'off' by default and even expert users should have to jump through annoying hoops to activate them for their own machines. – MarcClintDion Feb 24 '14 at 05:08
  • Have a look at the trunk addons, e.g. netrender: It requires the modules sys, os, http, socket, shutil and more. It sends and receives data via network (could also be internet I guess) and removes files recursively (shutil.rmtree), it's not a malicious script however. Would you want this to be blocked? – CodeManX Feb 24 '14 at 14:51
  • Ok right, I forgot about renderfarms, oops.

    My concern is that Blender might become a leper due to rumors or carelessness regarding security. I'm not advocating that people panic and uninstall Blender. Just that extra caution is used by Devs so that these fears and possibilities do not snowball.

    Any software package that gains a reputation for being easily exploitable can end up black-balled very easily. Many companies might refuse to allow it in their buildings.

     – MarcClintDion Feb 25 '14 at 15:01
  • I'm hoping to avoid sounding like an alarmist but there was a time when many of the worlds main DNS servers would be offline sometimes for days at a time and almost everybody that had an email address was getting virus's sent to them as attachments by address's that belonged to their close family and friends.

    This type of thing that should not be taken lightly.

     – MarcClintDion Feb 25 '14 at 15:02
  • The change in 2.68 was done to increase security, without any evidence that something bad ever happened to anyone. Nothing will be auto-run anymore by default. I find it absolutely sufficient. Everything else the user could run can be good or bad, there's no easy way to figure it out. The addons shipping with Blender are controlled, addons_contrib from official repository should be safe too. The rest is up to the user and in the worst case the virus scanner / firewall. There are countless threats worse than Blender. – CodeManX Feb 25 '14 at 18:05
  • I agree about all of that. The Addons that Blender ships with are well chosen and the threat is light. Watching a free movie is currently a bigger security threat. Blender is in no current danger of becoming a community wide Cuda powered virus render-farm. Not for now anyways. One thing I am certain of is that somebody, somewhere is planning things like this. – MarcClintDion Feb 26 '14 at 02:33
2

There are justifiable use-cases for all potentially dangerous python modules. The more you exclude from python in a standard Blender distribution, the less useful it is for good-natured coders. Some of the built-ins, exec() and eval() for instance, can add an extra layer of obfuscation to the code being executed, you'd need to use repr() to see what kind of code they're attempting to run - but that doesn't mean that they don't have perfectly legitimate uses in a dynamic program.

Yeah, it's a valid security concern and that's why Blender doesn't auto-run python scripts in .blend files by default, until you manually tick the box "Auto Run Python Scripts". Blender will tell you if a driver in a .blend wants to auto run, but it will make you navigate to User-Preferences -> File and set it yourself.

enter image description here

The only way to reduce potential harm of using .blends / scripts that you don't trust, is to first read them. With scripts at least you can read the source, how many programs do you install for which you don't first read the source? A lot probably.

zeffii
  • 39,634
  • 9
  • 103
  • 186