What are the security concerns of evaluating user code in PHP?

Question

Hi,

I am wondering what security concerns there are to implementing a PHP evaluator like this:

<?php eval($_POST['codeInput']); %>

This is in the context of making a PHP sandbox so sanitising against DB input etc. isn't a massive issue.

Users destroying the server the file is hosted on is.

I've seen Ruby simulators so I was curious what's involved security wise (vague details at least).

---

Thanks all. I'm not even sure on which answer to accept because they are all useful.

Owen's answer summarises what I suspected (the server itself would be at risk).

arin's answer gives a great example of the potential problems.

Geoff's answer and randy's answer echo the general opinion that you would need to write your own evaluator to achieve simulation type capabilities.

Answer 1

don't do that.

they basically have access to anything you can do in PHP (look around the file system, get/set any sort of variables, open connections to other machines to insert code to run, etc...)

Answer 2

There are a lot of things you could say.. The concerns are not specific to PHP.

Here's the simple answer:

Any input to your machine (or database) needs to be sanitized.

The code snippet you've posted pretty much lets a user run any code they want, so it's especially dangerous.

There is a pretty good introductory article on code injection here:

Wikipedia on Code Injection.

Answer 3

If you allow arbitrary code to be run on your server, it's not your server any more.

Answer 4

As already answered, you need to sanitize your inputs. I guess you could use some regex-filtring of some kind to remove unwanted commands such as "exec" and basically every malicious command PHP has got to offer (or which could be exploited), and that's a lot.

Answer 5

could potentially be in really big trouble if you eval()'d something like

<?php
   eval("shell_exec(\"rm -rf {$_SERVER['DOCUMENT_ROOT']}\");");
?>

it's an extreme example but it that case your site would just get deleted. hopefully your permissions wouldn't allow it but, it helps illustrate the need for sanitization & checks.

Answer 6

Dear god NO. I cringe even at the title. Allowing user to run any kind of arbitrary code is like handing the server over to them

I know the people above me already said that. But believe me. That's never enough times that someone can tell you to sanitize your input.

If you really, really want to allow user to run some kind of code. Make a subset of the commands available to the user by creating some sort of psudo language that the user can use to do that. A-la the way bbcode or markdown works.

Answer 7

Do NOT allow unfiltered code to be executed on your server, period.

If you'd like to create a tool that allows for interactive demonstration of a language such as the tool seen here: http://tryruby.hobix.com/ I would work on coding a sub portion of the language yourself. Ideally, you'll be using it to demonstrate simple concepts to new programmers, so it's irrelevant if you properly implement all the features.

By doing this you can control the input via a white list of known acceptable input. If the input isn't on the white list it isn't executed.

Best of luck!

Answer 8

If you are looking to build an online PHP interpreter, you will need to build an actual REPL interpreter and not use eval.

Otherwise, never ever execute arbitrary user code. Ever.

Answer 9

The eval() function is hard to sanitize and even if you did there would surely be a way around it. Even if you filtered 'exec', all you need to do is to somehow glue the string 'exec' into a variable, and then do $variable(). You'd need to really cripple the language to achieve at least some sort of imaginary security.