Hello, motivated by the chat we were having in #87 I open this issue to discuss possible solutions to safe_eval lack of security so we can stop exposing all python environment in a salary rule.
The main issue here is: safe_eval is not safe at all. It exposes real environment python objects and allows the user to run almost everything from a salary rule.
So I come up with 3 ideas that I think if we apply at least one of them it will improve security in the module rules:
-
We should write more standard options of calculations, so we can move the python mode to another module to be used only when necessary.
-
We modify safe_eval to not allowing write access to the ORM. Actually don't know how difficult this can be, but I think is an option.
-
We create a new salary rule coding language. It would involve a whole module change, but for me, is the more promising one, and I have some resources you can check to get an idea:
In python we have some libraries and derivates projects called "Python String Parsers" that in resume provide a whole package that parse strings and convert them to encapsulated python code (so it didn't expose the environment) and return the result of the operation. This packages will solve the problem since we will not write python code in the rule, we will be writing strings and functions from the parser library and the the package will take care of interpreting and processing the sting code, not exposing in any way the python environment.
For you to read I leave you some resources about it:
- ply: Lexx/yacc library. It could provide us with a internal language from rules. In the link you can also see projects writed with ply that could be useful for providing us functions to use in rules.
- pyparsing: it's a big module with all sort of functions and use cases. It can also provide us a string-like programming language to use in rules.
Also I leave some interesting article about eval safety issues. That is a problem with eval and safe_eval so that's what we should attack. Eval is really dangerous
So in resume I think we should take a look to all options. Also, and in a way of providing temporary security I will work in @norlinhenrik approach of locking the salary rule form from only a few cases or maybe a setting. So only trusted odoo users can edit rules.
Also I think #87 should be merged with the new payslip object fix, because adding it don't increment current security issues of salary rules, it's just another object and since we have access to all env in rules, I think we can tolerate this change. We should attack security issues from the root, which is python safe_eval not the objects.
Leave this thread to discuss with you @appstogrow @mtelahun , I can also create a new branch to work in this if you are willing to help me with this, since it's a big change and I don't have time to do it alone, I have the ideas so I think we can make a good team.. Let me know what you think and I can create a 14.0-new-rule-language branch and we can work in there until everything is ready.