On 7/8/2025 5:09 PM, Caddiy via Discuss wrote:

Antivirus / antimalware scanners do one of two things:

• At various times, looks for known-bad patterns.  They know that a
  certain piece of malware looks like <this>, so they look for
  <this>.  This technique is good for finding malware that's already
  been discovered, but useless for finding new malware.  I believe
  that this is how most anti-malware stuff operates.
• While the program is running, look for "bad" behavior.  The problem
  there is defining "bad", because for almost any behavior there's
  some program that legitimately needs to do it.  Making changes to
  files is one of the most destructive things that malware can do...
  but it's also something that almost all legitimate programs need to
  do.  I'm not sure, but I don't think most anti-malware stuff uses
  this technique, but other parts of the system do.  Firewalls may
  block network connections.  "Ordinary" system defenses block
  attempts to change system files.  But:  if the user clicks through
  the "administrator approval required" popup, all bets are off.

So until the malware has spread enough that the scanner companies pick
it up and start looking for it, only the second technique will help you,
and that has trouble protecting your ordinary non-system files.

That's probably oversimplifying a bit, but it's basically accurate.

Two things: the meshed-gear example is So wicked Cool!  Thanks...

OK, back to the python security...

When I have had to deal with this in the somewhat distant past, and I am
having to dredge up some details from bygone work projects, we either used
containers or VM's that were locked down tighter than a nats...  Hmmm, in
the name of common decorum and decency, I'll stop the euphemistic
expletives there, BUT what we did was allow a way for the native OS to read
and write filed in/out of the VM/container, but a user inside the VM could
not.  We also locked down all ports (well, except the Display, and explicit
interfaces to the mouse and keyboard) -- read, no general external disk, no
general USB access, and no Ethernet/WiFi access.  Getting data in and out
of the VMs was a pain, but external utility scripts can be set up to ease
that transition.  It has been long enough since I had to be up on Docker,
KVM, VirtualBox, and VMWare, I do not remember which of those allows one to
lock it down like that.  Maybe others here can chime in.  I think it would
be a worthwhile project to see if such VM's/containers can be configured
and deployed -- and still make it clear enough for a non-programmer to
install, use, and get files in and out of them.  If we could work out these
details, maybe a container image could be deployed pre-configured.  Just a
thought.

EBo --

On Tue, Jul 8, 2025 at 11:36 PM Jordan Brown via Discuss <
discuss@lists.openscad.org> wrote:

All this Hassle Would Automatically resolve when we call the Models Scripts
instead.
Mails Would read:
Hey , have you Seen how  my latest csg Script Looks Like?
IT will ne No worse than Other Mail Scan trying to execute binaries in the
foreign Computer.

Am Mittwoch, 9. Juli 2025 schrieb John David via Discuss <
discuss@lists.openscad.org>:

--
Null

Calling it something different will not address the underlying issue, only
to get past calling conventions.  Setting up a Docker/KVM/VMWare OpenSCAD
image (with python and a small storage space inside the VM) would fully
isolate.  I am probably missing a few things, but this might be a solution.

On Wed, Jul 9, 2025 at 6:09 AM Guenther Sohler via Discuss <
discuss@lists.openscad.org> wrote:

Hi Folk
I'm no so firm in python, but I can tell, what we did in some embedded
systems to sandbox Lua-Scripts

Call user script in an environment with

• removed globals, which have filesystem access: loadfile, dofile,
  module, require
• removed packages, which have filesystem access: os, io

added supporting functions

load_file(path), save_file(path,...) with path verified to be only in an
allowed list of folders/directories.
printf(...) for formatted output

I don't know, if similar is possible in python, but we believe in Lua
this is safe.

Regards

Am 09.07.25 um 12:09 schrieb Guenther Sohler via Discuss:

On Wednesday, July 9, 2025 at 06:15:39 AM EDT, John David via Discuss discuss@lists.openscad.org wrote:

It's also a huge complication --- every effort at Python I've ever made has always crashed-and-burned at the end when someone decided a virtual environment was necessary and they started to conflict.

So long as that was an option which was compleatly automatic, and it was easy to get DXF and STL and other files out, maybe --- but one loses a lot of the potential when files can't be written or even accessed.

I just pushed up an update to my own project:

https://github.com/WillAdams/gcodepreview

and it simply would not have been possible w/o the facility Python has for manipulating variables as variables, and writing out files.

William

--
https://designinto3d.com/
Sphinx of black quartz, judge my vow.

Does Lua have named arguments in function calls and is there an easy-to-use
embeddable package ?

On Wed, Jul 9, 2025 at 1:00 PM jjvbhh via Discuss <
discuss@lists.openscad.org> wrote:

Yes, I am aware that it does not solve the actual problem :)

But labelling the Design as "program/script/snippet"  restores the user
awareness that it does actually execute with all implications

Every healthy and reasonably thinking person will automatically person will
conclude all the implications whereas when the design is called "Model"
the danger is
veiled/hidden

On Wed, Jul 9, 2025 at 12:15 PM John David ebo.2112@gmail.com wrote:

I asked claude.ai for some solutions:

1. Docker container (advised)

Create a Dockerfile

FROM python:3.9-slim

RUN pip install pythonscad
WORKDIR /app

Copy your python files

COPY . .

Run met beperkte privileges

USER nobody
CMD ["python", "your_model.py"]

###################

I've used a lot of docker images but never created one from scratch. But
it's pretty save as a sandbox

###################

2. Python Virtual Environment + Restricted Execution (a bit lighter)

import subprocess
import tempfile
import os

def run_pythonscad_sandboxed(model_code):
with tempfile.TemporaryDirectory() as temp_dir:

Schrijf code naar temporary file

model_file = os.path.join(temp_dir, "model.py")
with open(model_file, 'w') as f:
f.write(model_code)

Run in subprocess met beperkte rechten

result = subprocess.run([
'python', '-c',
f'import sys; sys.path.insert(0, "{temp_dir}");
exec(open("{model_file}").read())'
], capture_output=True, text=True, timeout=30)

return result

######################

i cannot judge this one

######################

3. Firejail on linux systems.

#################

not suitable for windows users

#################

Met vriendelijke groet,

Matthieu Hendriks

Guenther Sohler via Discuss schreef op 2025-07-09 13:56:

--
Null

OpenSCAD mailing list
To unsubscribe send an email to discuss-leave@lists.openscad.org

OpenSCAD mailing list
To unsubscribe send an email to discuss-leave@lists.openscad.org

Am 09.07.25 um 13:52 schrieb Guenther Sohler via Discuss:

Can be done by passing a table as argument.

somefunction{width=123,height=456,color="blue"}

Embedding Lua in C or C++ is – no, not a one-liner – but in about 30…50
lines, depending on your needs. Argument passing and error catching is
quite simple.

You can find a simple example in
https://github.com/bassklampfe/lua4hydrogen/blob/main/midi2hydrogen-qt/midi2hydrogen-qt.cpp

(in one of my repositories in my personal github account)

And also google "embedding lua in c++" will give you 1000s of hints.
Explicit like above example or also ready to use C++-classes.

On the other side it's also simple to Map a C++ Class to Lua.
Simple example https://github.com/jjvbsag/COMPLEX/blob/master/lcomplex.cpp
(in one of my repositories in my ex-company github account)

Again, google will show you all further examples.

But for me, the best in Lua are the dependencies. The plane Lua
interpreter just has got ONE! A working C-Compiler with stdlib! And Lua
is small.

stat -c%s $(which lua5.1)
194872

stat -c%s $(which python3.10)
5937800

But, please let us now stop discussion Lua in this Mailing list about
OpenSCAD.
Regards