From 64f9ef27055e35d34962817a4025675642626db7 Mon Sep 17 00:00:00 2001 From: burnettk Date: Thu, 1 Jun 2023 17:52:01 -0400 Subject: [PATCH] allow turning off restricted python --- .../src/spiffworkflow_backend/config/default.py | 6 ++++++ .../services/process_instance_processor.py | 12 +++++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py index cc44f62b5..08e12fa76 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py @@ -169,6 +169,12 @@ SPIFFWORKFLOW_BACKEND_ENGINE_STEP_DEFAULT_STRATEGY_WEB = environ.get( # this is only used in CI. use SPIFFWORKFLOW_BACKEND_DATABASE_URI instead for real configuration SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD = environ.get("SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD", default=None) +# we load the CustomBpmnScriptEngine at import time, where we do not have access to current_app, +# so instead of using config, we use os.environ directly here. +# SPIFFWORKFLOW_BACKEND_USE_RESTRICTED_SCRIPT_ENGINE = ( +# environ.get("SPIFFWORKFLOW_BACKEND_USE_RESTRICTED_SCRIPT_ENGINE", default="true") == "true" +# ) + SPIFFWORKFLOW_BACKEND_FEATURE_ELEMENT_UNITS_ENABLED = ( environ.get("SPIFFWORKFLOW_BACKEND_FEATURE_ELEMENT_UNITS_ENABLED", default="false") == "true" ) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py index 36982c803..9a9b558c8 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py @@ -278,9 +278,15 @@ class CustomBpmnScriptEngine(PythonScriptEngine): # type: ignore "set": set, } - # This will overwrite the standard builtins - default_globals.update(safe_globals) - default_globals["__builtins__"]["__import__"] = _import + use_restricted_script_engine = True + if os.environ.get("SPIFFWORKFLOW_BACKEND_USE_RESTRICTED_SCRIPT_ENGINE") == "false": + use_restricted_script_engine = False + + if use_restricted_script_engine: + # This will overwrite the standard builtins + default_globals.update(safe_globals) + default_globals["__builtins__"]["__import__"] = _import + environment = CustomScriptEngineEnvironment(default_globals) super().__init__(environment=environment)