Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re: New last hours of cb, CB stats - feature request

by Discipulus (Canon)
on Nov 24, 2023 at 13:15 UTC ( [id://11155792] : note . print w/replies, xml ) Need Help??


in reply to New last hours of cb, CB stats

Dear cavac,

while I want to thank you warmly for your work and not wanting to profit too much of your brain-time.. what about to give chatterbot the power of perl?

!eval say $^V Discipulus: v5.39.4

gods permitting this will be a nice feature to have. I've seen implemented in the #perl irc channel on MAGnet. There if you ask to perlbot about its source it shows further links to explore:

perlbot: source Discipulus: check out my insides http://github.com/perlbot/perlbuut/ | + ... If you're after an eval server look at App::EvalServer and App::EvalS +erverAdvanced on CPAN, also check out nsjail for a more generic sandb +ox https://github.com/google/nsjail | Also check out the rest of the + perlbot projects at https://github.com/perlbot/

The perlbot plugins commands shows a lot of plugins and among them the eval one and shows also useful variations:

perlbot help eval Discipulus: The eval plugin. Syntax, Ģeval: codeģ. Prefixes: w=>warnin +gs, s=>strict, m=>use Ojo. Suffixes: t=>threaded, pb=>pastebin it, nl +=>turn \n to ␤.

I find the pastebin ability extremely useful.

L*

PS rethinking of it instead of pastebin can be integrated with haukex's wonderful webperl project. Everything inhouse :)

As you can see it accepts json inputs as well.

There are no rules, there are no thumbs..
Reinvent the wheel, then learn The Wheel; may be one day you reinvent one of THE WHEELS.

Replies are listed 'Best First'.
Re^2: New last hours of cb, CB stats - feature request
by afoken (Chancellor) on Nov 24, 2023 at 17:59 UTC
    !eval say $^V Discipulus: v5.39.4

    Built-in unauthenticated remote code execution. Think about these:

    !eval system "rm -rf /" !eval system "wget -m -np http://www.example.com/tons/of/junk/"

    Do you want to eval that on your server?

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

      Built-in unauthenticated remote code execution.

      Oh, i would never actually eval() anything that i get over the internet. I don't even use filepaths directly to avoid path exploits. I pre-cache the available files either in RAM or in the database; when a request comes in i basically use defined() to check if that key exists.

      In the case of command handling, i'd basically do the same. "Is that text after "eval " in my cache? No, then ignore the command, else return the static text from the hash.

      There is pretty much exactly ONE case where i have to run user provided code. That thing run server side JavaScript in a JavaScript::Embedded sandbox, inside a sandboxed virtual machine. And every call and every code change is logged and the logs send to a second server (one way communication). And if the server detects any funny business, the source IP is automatically firewalled. I'm not taking any chances.

      Oh sure, my system might still have remote exploits (pretty much every server software does), but i take great care to prevent any potential attack vectors using defense-in-depth design choice and not trusting the client in the slightest. The thing certainly isn't perfect, but my software has now run 15+ years on the net, and so far i haven't had a break-in or even a javascript injection.

      Taint mode

      That's one thing i don't use. Not explicitely, anyway. I treat every user input as tainted, but my software doesn't technically support taint mode.

      PerlMonks XP is useless? Not anymore: XPD - Do more with your PerlMonks XP

      Two words: Taint Mode.

      ;-)


      🦛

Re^2: New last hours of cb, CB stats - feature request
by cavac (Parson) on Nov 25, 2023 at 01:37 UTC

    While i certainly have plans to open source the chatterbot code, this is all a bit more complicated than you might think. It's currently integrated into the XPD system, because that one had already a lot of PerlMonks API code *and* a running webserver *and* a database *and* a working/paid for domain.

    In addition to that, the whole thing uses my own framework which has a *lot* of dependencies and it a complicated database scheme.

    Not making excuses here, i just never found a nice way to open source projects based on my framework. It's a very nice tool for commercial projects, but to set up a working project on your own computer requires an easy to remember 60 step process...

    It's also important to note here that PageCamel doesn't use an external webserver, it IS the webserver which is split into a protocol frontend (https, http plus handling of virtual hosting) and backend processes. In case of the XPD server, it doesn't even run it's own frontend service, that one if done by the cavac.at/Null Island Space Agency project.

    Yes, source will come some day, but at the moment there's a lot of cleanup and documentation work to be done before that can happen.

    PerlMonks XP is useless? Not anymore: XPD - Do more with your PerlMonks XP