A full-scale PHP 5.3.2+ sandbox class that utilizes PHPParser to prevent sandboxed code from running unsafe code.

I stumbled upon this library and wanted to test it out with my new project which will have some user supplied code executed. But the thing is, this is my first Laravel project and I'm complete newb with both Laravel and composer. I tried running composer require fieryprophet/php-sandbox and I get this:

d:\wwwroot\my-test-project>composer require fieryprophet/php-sandbox
Using version ^1.3 for fieryprophet/php-sandbox
./composer.json has been updated
> php artisan clear-compiled
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for nikic/php-parser == 1.4.0.0 -> satisfiable by nik
ic/php-parser[v1.4.0].
    - fieryprophet/php-sandbox v1.3.9 requires jeremeamia/functionparser dev-mas
ter -> no matching package found.
    - fieryprophet/php-sandbox v1.3.8 requires jeremeamia/functionparser dev-mas
ter -> no matching package found.
    - fieryprophet/php-sandbox v1.3.7 requires jeremeamia/functionparser dev-mas
ter -> no matching package found.
    - fieryprophet/php-sandbox v1.3.6 requires jeremeamia/functionparser dev-mas
ter -> no matching package found.
    - fieryprophet/php-sandbox v1.3.5 requires jeremeamia/functionparser dev-mas
ter -> no matching package found.
    - fieryprophet/php-sandbox v1.3.10 requires nikic/php-parser ~0.9.5 -> satis
fiable by nikic/php-parser[v0.9.5].
    - fieryprophet/php-sandbox v1.3.11 requires nikic/php-parser ~0.9.5 -> satis
fiable by nikic/php-parser[v0.9.5].
    - Conclusion: don't install nikic/php-parser v0.9.5
    - Installation request for fieryprophet/php-sandbox ^1.3 -> satisfiable by f
ieryprophet/php-sandbox[v1.3.10, v1.3.11, v1.3.5, v1.3.6, v1.3.7, v1.3.8, v1.3.9
].

Potential causes:
 - A typo in the package name
 - The package is not available in a stable-enough version according to your min
imum-stability setting
   see <https://groups.google.com/d/topic/composer-dev/_g3ASeIFlrc/discussion> f
or more details.

Read <https://getcomposer.org/doc/articles/troubleshooting.md> for further commo
n problems.

Installation failed, reverting ./composer.json to its original content.

It seems Laravel already uses nikic/php-parser v.1.4.0.0 and your library requires v.0.9.5. Any idea how to solve this?

Hello guys As you remember I was waiting for #19 pull request and it does not fix the problem with PHP 5.6. Here is my fix. And some updates of requirements. Tests are passed even on 5.6 version Thank you

P.S. If you accept this pull request, please, do not forget the create new tag (version, release).

When you try to run the code below with the PHPSanbox:

function test(){
  echo('Hello World!');
}

function hello(){
  test();
}

It gives out an error:

exception 'PHPSandbox\Error' with message 'Sandboxed code attempted to call non-whitelisted function: test'

This is my sandbox setup:

  $sandbox = new \PHPSandbox\PHPSandbox;
  $sandbox->set_option('allow_trusted_code', true);
  $sandbox->set_option('allow_functions', true);
  $sandbox->set_option('allow_globals', true);
  $sandbox->set_option('allow_variables', true);
  $sandbox->set_option('allow_classes', true);
  $sandbox->set_option('allow_closures', true);
  $sandbox->set_option('allow_namespaces', true);
  $sandbox->set_option('allow_aliases', true);
  $sandbox->set_option('allow_interfaces', true);
  $sandbox->set_option('allow_generators', true);
  $sandbox->set_option('allow_escaping', true);
  $sandbox->set_option('allow_casting', true);

Is there a setup to make the code above work? Or any workarounds?

Hi,

if I try to run the following code in the Sandbox, it will report that function it() was undefined in the eval()'d code:

If I declare function it() before calling it, the code will execute. Outside the Sandbox, the code shown above runs fine. Is there any way to use the Sandbox with code that uses functions or classes that will be declared after they're referenced in the code?

Here's my configuration:

$sandbox->whitelist_keyword(array("type","function","class","echo","new","implements")); $sandbox->set_option("allow_functions",true); $sandbox->set_option("allow_classes",true); $sandbox->set_option("oOverwrite_defined_functions",false);

Thanks a lot

Paul

Hello,

I don't know if this is actually an issue, is more of a question. I see that by default I have to whitelisted everything that I want to be used, but given the situation that I'm trying to use PHPSandbox, this is impossible to be done. It's possible to use without having to set all the functions, vars, keywords, etc to the whitelist? I'd like that things that aren't whitelisted and blacklisted could be executed. Is there a configuration that can be set or there's no possibility to do that?

Thanks for the attention.

Here the scenario

Below will work

http://kodeinfo.com/sandbox/get/11

But If you call a function before its defined it wont work

http://kodeinfo.com/sandbox/get/12

I have checked the logs and below is what i see problem is execute statement is wrapped in try catch

    try {
        $result = $sandbox->execute($input);
    }catch(Exception $e){
        return $e->getMessage();
    }catch(\Symfony\Component\Debug\Exception\FatalErrorException $e){
        return $e->getMessage();
    }

but it is unable to even execute catch

below is log

Call to undefined function print_nice()

vendor/fieryprophet/php-sandbox/src/PHPSandbox.php(6919) : eval()'d code:3 handleShutdown [internal]:0 [main]

I am looking into it , thought to just put here if any one can get it right

Thanks

Hi, I have a problem with namespaces on a linux platform with Symfony2. Symfony uses an autoloader that relies on namespace definition for finding the appropiate class declarations. For example, if a class is declared con Foo\Bar namespace, the autoloader loads a class from Foo/Bar directory. When trying to use sandbox in this context, I faced a problem because the namespaces are converted to lowercase, and the autoloader can't find the whitelisted classes.

For example:

in Foo/Bar folder: Sample.php:

namespace Foo\Bar;

class Sample {
    public function doSomething() {
        return 10;
    }
}

In Test folder:

namespace Test;

 class SampleTest {
      public function test() {
             $sandbox = \PHPSandbox\PHPSandbox::create();
             $sandbox->allow_classes = true;         
             $sandbox->define_alias('Foo\Bar', 'Scripting');
             $sandbox->whitelist_class('Scripting\Sample');

              $sandbox->execute('
                           class ConcreteSample extends Scripting\Sample {
                                      public function doSomething() {
                                              return 20;
                                      }
                           }

                          $a = new ConcreteSample();
                          return $a->doSomething();
               ');
      }
 }

With following code:

$a = new SampleTest();
$a->test();

I receive an error because the class foo\bar\Sample is not declared. This is because (in linux) the folder foo\bar (lowercase) does not exists.

Is there a solution to this problem? Why are the namespaces being "normalized"?

Hi, I can't find an answer to this anywhere in the docs: how to pass a context through repeat executions of different sandboxed code.

For example, on first execution, I define a variable:

$a = 'hello world';

Then on second execution, I echo it:

echo $a;

The sandbox appears to discard the context between executions. Is there a way to tell it to save the state so the second execution does not fail with Undefined variable: a?

Is it possible to parse something like this:

I love eating <?php echo "appples"; ?>

I'm building a learning tool for my students and while parsing PHP works out fine, I'm trying to figure out how to parse HTML mixed with php

At the moment the site seems to be down so I can't access the manual and I don't see any mention of it here on GitHub so I wasn't sure if you were aware. I see the package comes with the Manual.html though so I guess this is more of a friendly poke then a real issue.

Hi,If the sandbox execute function include a file,and the included file has a parse error,now it will return an error with msg "Could not parse sandboxed code!",can it return an error with the real error message? For example: ... $sandbox->execute(function(){ include "test.php"; }); ... and the test.php is like: ... echo "test"; invalid_str_here ...

could it return some error like: "Parse error: syntax error, unexpected 'echo' (T_ECHO) in sandboxed_code.php on line 4." rather than "could not parse sandboxed code!"?

Thank you!

GitHub changed the way Markdown headings are parsed, so this change fixes it.

See bryant1410/readmesfix for more information.

Tackles bryant1410/readmesfix#1