Allowing the user a sandboxed version of a programming language - user-input

Note: I'd appreciate some tag suggestions for this one..
I'd like to provide my users with a method of programmatically manipulating data on the server. This would be done by using an in-browser code editor to be executed at a later date, not dissimilar to the manner https://www.onx.ms employ.
I'd like to avoid writing a DSL (a barrier to adoption?), and would prefer the language that the user writes to be either JavaScript or Ruby based.
My obvious concern is security. I understand the perils of allowing user generated code to run server-side, but what steps can I take to eliminate the risk?
Do sites like http://railsforzombies.com actually use irb, or is it far simpler than that?

Would you consider Java (or other JVM languages such as JRuby, Scala, Clojure etc)? If so - there is a wealth of power in the JVM to restrict the privileges of a sandboxed app. See this other question for details: How do I create a Java sandbox?

Google Caja lets you safely embed user-specified Javascript in your website, but I think it might be aimed at running the code in the user's browser rather than on your server. I haven't used it myself.
I don't know if there are ready-made solutions for other languages, but I think a custom solution would involve recompiling the interpreter yourself after removing all API libraries that allow the user to write to disk, open network connections, fork processes/threads, and do any other dangerous or denial-of-service operation. Whitelisting "safe" libraries is the only approach that could work for that.
It would be safer if you had separate virtual servers for individual users.

Related

Can I use webassembly for plugins like blender uses python?

I was talking to a friend of mine who knows a lot about js and wasm.He told me the technology goes far beyond web, since it is basicly a way to run near native applications on devices without actually giving them access to the computer.
Which means that thrid party or untrusted code on a smartphone for instance cannot accidentally or intentional change other apps or parts of the system.
This seamed to me like the perfect conditions to build a plugin system for an application I am working on.
I asked him about it but he was unable to give me a clear answer.
So the question is, can I use webassembly outside of a webbrowser, with custom bindings to safely allow users to extend the functionality of my application (a special image viewer) without sacrificing too much speed? It seams it should work using libnode or something, but is there a problem I might run into?
I don't know how much you know about web assembly but it depends on what your plugins actually should do. If it basically handle Arrays and numeric data with not that match interacting with host applications then it might fit. But when you have heavy object handling then it will not fit at the moment. So for image processing it might be perfect match like it is used in some web examples. Also be aware that some web assembly targeting system or not suitable for none web targets as they generate also some javascript code to be used in browsers beside the generate wasm. Some wasm modules for example require that you call malloc and free for string handling other have functions like new and gc for the nearly the same.

Is it possible to add a capacity to specific form fields?

I'm working on a conference registration form that has check boxes for which events the user would like to attend, but some of those events have capacities. Client wants those options to turn off when they reach maximum capacity. I don't think this is possible without some serious work outside of project scope but I don't want to shoot them down without knowing for sure. I am a novice programmer but experienced designer/coder, if that helps. Thanks!
Hi Allison welcome to SO :)
You are indeed correct that this functionality is going to require some work outside of your project scope if you are normally into designing web sites that don't generally have much server-side functionality.
This is going to need a database and some server-side logic implemented in Ruby, PHP, Asp.Net, Java or whatever and isn't in the realms of just a webform as you have correctly guessed.
I did consider posting this as a comment, but I think it sounds to me that you're not keen on getting into database hackery etc at the moment; equally if I'm wrong then I'm sure you'll get more help from the community if you have some information about what server-side environment the site will be running in (is it PHP, Ruby, .Net, Java, or perhaps old-skool CGI?).

How can I do web programming with Lisp or Scheme?

I usually write web apps in PHP, Ruby or Perl. I am starting the study of Scheme and I want to try some web project with this language. But I can't find what is the best environment for this.
I am looking for the following features:
A simple way of get the request parameters (something like: get-get #key, get-post #key, get-cookie #key).
Mysql access.
HTML Form generators, processing, validators, etc.
Helpers for filter user input data (something like htmlentities, escape variables for put in queries, etc).
FLOSS.
And GNU/Linux friendly.
So, thanks in advance to all replies.
Racket has everything that you need. See the Racket web server tutorial and then the documentation. The web server has been around for a while, and it has a lot of features. Probably the only thing that is not included is a mysql interface, but that exists as a package on PLaneT (Racket package distribution tool).
UPDATE: Racket now comes with DB support, works with several DBs including mysql.
You may want to have a look at Clojure:
Clojure is a dynamic programming language that targets the Java Virtual Machine. [...] Clojure provides easy access to the Java frameworks, with optional type hints and type inference, to ensure that calls to Java can avoid reflection.
Clojure is a dialect of Lisp, and shares with Lisp the code-as-data philosophy and a powerful macro system.
Interop with Java is straightforward in Clojure, so you can re-use any existing Java libraries as you need. I'm sure there are plenty that are useful for web development.
clojure-contrib has an SQL API, and there is ClojureQL as well, which should cover your DB access needs.
There is a web framework for Clojure called Compojure under development. There may be others, too.
Clojure's source is available on github under the EPL. Getting it running on Linux is easy; I just clone the git repos and run ant.
You can do web development with guile scheme. Its standard library includes the (sxml simple) module that is very useful for html generation, manipulation, and parsing. The guile-www library adds support for http, cgi, etc. The guile-dbi library provides access to MySQL and other databases. With these building blocks, you can implement everything from simple cgi scripts to web applications with their own HTTP server.
Try Weblocks, a Common Lisp web framework:
http://weblocks.viridian-project.de/
I've written a pretty extensive tutorial/ebook on the topic: http://lispwebtales.ppenev.com/
Quick summary:
It uses Common Lisp
It uses the Restas framework
It has examples for pretty much most of basic web development, including DB access, authentication, HTML generation and templating.
Since the Restas documentation is pretty much out of date, my tutorial is the closest thing to up to date docs.
Shows a few of the more advanced features, like policies, which allow you to write pluggable interfaces, for instance you can write a data store layer, and write back-ends for different storage mechanisms with relative ease, the module system which allows you to write reusable components, like auth frameworks and things like that.
It covers things like installing lisp, setting up the ASDF build system and the quicklisp package manager etc.
It's free online, and as soon as I finish it it will be free on leanpub as well. The source is on https://github.com/pvlpenev/lispwebtales under a CC license, the source code is MIT. Not all of it is published yet, and I'm in the process of revising.
This may be what you are looking for.
http://www.plt-scheme.org/
http://docs.plt-scheme.org/web-server/index.html
http://common-lisp.net/project/cl-weblocks/
If you are interested in Common Lisp to be exact and do not want to go the weblocks route I would recommend the following setup:
Use SBCL on Linux but with multiple thread support
Use Hunchentoot as a web server which will provide you with all the server processing required including sessions and cookies
Use ClSql to communicate with MySql it has ample documentation and is very stable.
For the HTMl generation you can use Dr Edi Weitz Cl-WHO (very well documented).
Note all the above are under GPL or similar license (one that works more for lisp programs)
Gambit Scheme has its own solution to web apps as well. It uses the Spork framework, based o the Black Hole module system (both by Per Eckerdal).
Andrew Whaley has an initial tutorial on how to get Gambit, Black Hole and Spork running a web app under Apache using mod_proxy. You might want to take a look at that.
On a (possibly) related note, Gambit will also compile your stuff to C and then to an executable, if you feel so inclined.
Paul Graham (and friends) made a lisp dialect specifically for writing basic web applications. It's called Arc, and you can get it at arclanguage.org.
It's probably not suited for really big complex websites and I'm not sure what state it's database support is at but Paul Graham knows how to write web applications in lisp, so Arc will make the HTTP/HTML part easy for you while you spend most of your brain cycles learning the lisp way.
Weblocks is nice tool for building web apps in Common Lisp, but a bit too heavy-weight for me.
We use the following stack:
OpenMCL (open source Lisp, very nice)
Portable Allegroserve (web server, HTML generator)
Our own Rails-like tools for doing Ajaxy stuff (update: this has now been open sourced as WuWei)
A variety of CL libraries like cl-json, cl-smtp, md5
I use my own, customized version of Scheme, derived from MzScheme. It has a new, simple web-application framework, a built-in web-server (not the one that comes with MzScheme) and ODBC libraries. (http://spark-scheme.wikispot.org/Web_applications). The documentation may not be exhaustive, as this is more of a personal tool. But there are lots of sample code in the code repository.
Clojure is a Lisp dialect which may interest you. At this point there's a pretty decent web development stack. I can recommend a few things:
The leiningen dependency manager which makes is really easy to install and manage libraries that you're using. Pretty nice set of plugins for it too. There's even a plugin for Clojurescript, which is a language based on Clojure that compiles to Javascript.
The ring HTTP server abstraction. Its used in most actual web frameworks. Its a pretty good idea to learn that first before jumping into an actual framework.
hiccup is a HTML dsl/templating language written in Clojure. Its very expressive! Reminds me a bit of Jade, in a sense.
composure would have to be the most popular web framework for Clojure. Its essentially a routing library like express.js.
Let's see what can be done with Common Lisp.
The state of the Common Lisp ecosystem (2015) and the Awesome Common Lisp list show us a couple of modern frameworks (Caveman, Lucerne, all built on the new Clack web application server, an interface for Hunchentoot and other servers). Let's discuss with our own findings.
update 2019: there's a new tutorial on the Common Lisp Cookbook: https://lispcookbook.github.io/cl-cookbook/web.html It covers routing, template engines, building self-contained binaries, deployment, etc.
update: a bit later, I found out Snooze, by the creator of Sly or Emacs' Yasnippet, and had a much better impression than say Caveman. Declaring endpoints is just like declaring functions, so some things that were tedious in Caveman are obvious in Snooze, like accessing the url parameters. I don't have much experience with it but I recommend checking it out.
update june 2018: also don't miss the ongoing rewrite of Weblocks, it's going to be huge ! :D http://40ants.com/weblocks/quickstart.html Weblocks allows to build dynamic webapps, without a line of Javascript, without separating the back and front. It is components-based, like React but server-side. It's very alpha as of writing (june 2018), but in progress, and it's working, I have a couple simple web apps working.
A simple way of get the request parameters (something like: get-get #key, get-post #key, get-cookie #key).
I found easier the Lucerne way, it iss as simple as a with-params macro (real world example):
#route app (:post "/tweet")
(defview tweet ()
(if (lucerne-auth:logged-in-p)
(let ((user (current-user)))
(with-params (tweet)
(utweet.models:tweet user tweet))
(redirect "/"))
(render-template (+index+)
:error "You are not logged in.")))
Caveman's way has been less clear to me.
Mysql access
Caveman advertises database integration (with Fukamachi's Datafly and sxql).
You can just use clsql or the Mito ORM: https://lispcookbook.github.io/cl-cookbook/databases.html
HTML Form generators, processing, validators, etc.
I don't know if there are form generators out there. edit: there are: cl-forms and formlets, or again 1forms, working with Caveman2.
Caveman does not have one (issue raised in 2011).
Helpers for filter user input data (something like htmlentities, escape variables for put in queries, etc).
Ratify is an input validation library, not integrated into a framework though.
FLOSS and GNU/Linux friendly: ✓
Other web stuff
Speaking about web, there are other nice libraries in CL land:
web servers: Woo is a fast HTTP server, faster than Nodejs (beware of charts…), wookie is an async http server,
Dexador is an HTTP client
Plump, lquery and CLSS make it easy to parse html and query the DOM.
cl-bootstrap offers twitter-bootstrap shortcuts for the cl-who templating engine (which kind of replaces Jade/Pug, even though we have usual templates too).
Ajax in Lisp
(remember, with Weblocks, see above, we might not need those)
With ParenScript, we can write JavaScript in Common Lisp, without living our usual workflow, and we can thus use the fetch web API to write Ajax calls.
Clojure would be perfect for this. With some very short, clean code, you can implement some very complex applications, such as blogs or forums.
You might want to consider the awful web framework for Chicken Scheme.
Natively supports PostgreSQL and SQLite
Built-in easy support for sessions
Shortcuts for some webdev idioms, like the (ajax) procedure
Your app can be easily compiled to a static executable (via csc -static) for easier deployment
The collection of all chicken libraries (eggs) isn't as versatile as in some other programming languages, but isn't awful either

What languages can be used to make dynamic websites?

So, there are several languages which will allow you to create a website, as long as you configure the server(s) well enough.
To my knowledge, there is:
PHP
ASP.NET
Ruby(on rails, what is
that all about?)
And thusly, my knowledge is limited. Ruby and ASP, I've only heard of, never worked with. If there are other languages, I suppose they have some way to make files containing the needed html. It would then suffice to add a line to the Apache config to associate the file-extension.
And if other languages: are there any notable characteristics about the one(s) you mention?
ANY language can be use to make a dynamic website - you could do it in COBOL or FORTRAN if you were twisted enough. Back in the olden days (about 10 years ago) most dynamic websites were done with CGI scripts - all you needed was a program that could read data from standard input and write data (usually HTML) to standard output.
Most modern languages have libraries and frameworks to make it easier. As well as the languages you have already mentioned, Java, C# and Python are probably the most common in use today.
Typically a web framework will have:
a way of mapping URLs to a class or function to handle the request
a mechanism for extracting data from a request and converting it into an easy to use form
a template system to easily create HTML by filling in the blanks
an easy way to access a database, such as an ORM
mechanisms to handle caching, redirections, errors etc
You can find a comparison of popular web frameworks on wikipedia.
How can you forget Java ? :)
Python
It runs on Windows, Linux/Unix, Mac OS X, and has been ported to the Java and .NET virtual machines.
Python is a perfect scripting language for web applications, e.g. via mod_python for the Apache web server. With Web Server Gateway Interface a standard API has been developed to facilitate these applications. Web application frameworks or application servers like Django, Pylons, TurboGears, web2py and Zope support developers in the design and maintenance of complex applications. Around libraries like NumPy, Scipy and Matplotlib, Python is a standard in scientific computing.
Among the users of Python are YouTube and the original BitTorrent client. Large organizations that make use of Python include Google, Yahoo!, CERN, NASA,and ITA.
This could be for your interest.
Virtually thru CGI all programming languages that produce output may use for web page generation.
Basically, you can use any language (if you are hosting your own server)
Very closely related and very interesting is this article where LISP has been used to build a very succesfull website.
Python has a 3rd party module CherryPy which can be used with or without a http server.
Amongst others: Erlang (YAWS, Mochiweb), Python
JSP has the advantage that it automatically wraps your code in a servlet, compiles that to bytecodes, then uses the just-in-time Java compiler to recompile critical sections into native object code. Not aware of any alternative which allows optimizes your work automatically in this way.
Also allows you to develop and deploy on any combination of Windows, Mac OS X, or Linux.
If you'd like to choose one for the beginning, you should check out PHP first. It gives you the basic clues about how dynamic sites work in general.
After you've become familiar with the basics, I recommend ASP.NET.
Fist off, you should know that ASP.NET is a technology and not a language. (It actually supports any language that can be used on the .NET platform.) Also it is not to be confused with classic ASP. (The old ASP was much more like PHP.)
ASP.NET is very easy to begin with, and after you have some clues about its concepts, you can always dig deeper and customize everything in it. The http://asp.net site is a very good starting point, if you are to learn it. I think it is really worth the effort, because even if you choose not to stick to it, it will give you some interesting ideas and concepts.
I tell you its most important advantages:
The code is compiled (and NOT interpreted like PHP), and it has a very good performance. (In a performace comparsion, it is 10-15 times faster. http://www.misfitgeek.com/pages/Perf_Stat_0809.htm)
It can be run on Windows without effort, and on Linux / Mac / etc using the Mono project.
It implements the Separation of Concerns principle very well.
It has most of the general functionality you'll need built-in. (Such as membership, roles, database management, and so on.)

Suggestions for Adding Plugin Capability?

Is there a general procedure for programming extensibility capability into your code?
I am wondering what the general procedure is for adding extension-type capability to a system you are writing so that functionality can be extended through some kind of plugin API rather than having to modify the core code of a system.
Do such things tend to be dependent on the language the system was written in, or is there a general method for allowing for this?
I've used event-based APIs for plugins in the past. You can insert hooks for plugins by dispatching events and providing access to the application state.
For example, if you were writing a blogging application, you might want to raise an event just before a new post is saved to the database, and provide the post HTML to the plugin to alter as needed.
This is generally something that you'll have to expose yourself, so yes, it will be dependent on the language your system is written in (though often it's possible to write wrappers for other languages as well).
If, for example, you had a program written in C, for Windows, plugins would be written for your program as DLLs. At runtime, you would manually load these DLLs, and expose some interface to them. For example, the DLLs might expose a gimme_the_interface() function which could accept a structure filled with function pointers. These function pointers would allow the DLL to make calls, register callbacks, etc.
If you were in C++, you would use the DLL system, except you would probably pass an object pointer instead of a struct, and the object would implement an interface which provided functionality (accomplishing the same thing as the struct, but less ugly). For Java, you would load class files on-demand instead of DLLs, but the basic idea would be the same.
In all cases, you'll need to define a standard interface between your code and the plugins, so that you can initialize the plugins, and so the plugins can interact with you.
P.S. If you'd like to see a good example of a C++ plugin system, check out the foobar2000 SDK. I haven't used it in quite a while, but it used to be really well done. I assume it still is.
I'm tempted to point you to the Design Patterns book for this generic question :p
Seriously, I think the answer is no. You can't write extensible code by default, it will be both hard to write/extend and awfully inefficient (Mozilla started with the idea of being very extensible, used XPCOM everywhere, and now they realized it was a mistake and started to remove it where it doesn't make sense).
what makes sense to do is to identify the pieces of your system that can be meaningfully extended and support a proper API for these cases (e.g. language support plug-ins in an editor). You'd use the relevant patterns, but the specific implementation depends on your platform/language choice.
IMO, it also helps to use a dynamic language - makes it possible to tweak the core code at run time (when absolutely necessary). I appreciated that Mozilla's extensibility works that way when writing Firefox extensions.
I think there are two aspects to your question:
The design of the system to be extendable (the design patterns, inversion of control and other architectural aspects) (http://www.martinfowler.com/articles/injection.html). And, at least to me, yes these patterns/techniques are platform/language independent and can be seen as a "general procedure".
Now, their implementation is language and platform dependend (for example in C/C++ you have the dynamic library stuff, etc.)
Several 'frameworks' have been developed to give you a programming environment that provides you pluggability/extensibility but as some other people mention, don't get too crazy making everything pluggable.
In the Java world a good specification to look is OSGi (http://en.wikipedia.org/wiki/OSGi) with several implementations the best one IMHO being Equinox (http://www.eclipse.org/equinox/)
Find out what minimum requrements you want to put on a plugin writer. Then make one or more Interfaces that the writer must implement for your code to know when and where to execute the code.
Make an API the writer can use to access some of the functionality in your code.
You could also make a base class the writer must inherit. This will make wiring up the API easier. Then use some kind of reflection to scan a directory, and load the classes you find that matches your requirements.
Some people also make a scripting language for their system, or implements an interpreter for a subset of an existing language. This is also a possible route to go.
Bottom line is: When you get the code to load, only your imagination should be able to stop you.
Good luck.
If you are using a compiled language such as C or C++, it may be a good idea to look at plugin support via scripting languages. Both Python and Lua are excellent languages that are used to script a large number of applications (Civ4 and blender use Python, Supreme Commander uses Lua, etc).
If you are using C++, check out the boost python library. Otherwise, python ships with headers that can be used in C, and does a fairly good job documenting the C/python API. The documentation seemed less complete for Lua, but I may not have been looking hard enough. Either way, you can offer a fairly solid scripting platform without a terrible amount of work. It still isn't trivial, but it provides you with a very good base to work from.