I have a question regarding the security of my software.
My software downloads RSS feeds from the Internet, parses them, and does things with it. These things include following the url of the posts stored in the RSS feeds, and parsing the original web page of the posts in certain cases.
Of course, the websites providing the RSS feeds often change the design of their websites, which makes my parsing code obsolete each time they do that. I run regular tests that are supposed to flag the changes, but sometimes I miss it.
Each time a change happen, I have to fix the code, repackage the software, make the installers, push the new version to the server, etc (for Mac, Windows and Linux). Just because the parsing part had to be updated. My app is written in Python.
I was thinking about putting the parsing scripts on my server, and make my software download the scripts if the parsing methods changed. But that would imply downloading code from a server, and executing it on the fly.
Is it secure to do something like that? Is there another way?
EDIT:
It should have been more explicit. My software is a PyQt app, a more or less standalone app that the user downloads and install. It's local to the user. The software downloads the RSS feeds from the user's computer. However, the software contacts my server (I control it) to perform a few things: create an account for the user if he doesn't have one, send feedback on the most read RSS feeds, etc.
When I update the software, I have a script to automate most things like building the installers and all, but there are always suprises (like SSL libraries updated on the OS side or any other weird thing), so I'd like to minimize the number of builds. Also, the user has to manually update the software on his side (and we know the user is lazy...)
Related
I am new to Stack Overflow and had a question on a python application I have been working on for a while as part of a fun little personal project. Basically, the app consists of utilizing Selenium to login to my school portal, (I am a college freshman), navigate through a couple of pages and ultimately scrape the data off a page (beautifulsoup) that contains the campus food account balance and transactions. I thought this would be a useful thing to develop because my school makes it pretty difficult to view this information in a timely manner, and my friends and I find ourselves quite often wanting to check our balance. I completed the code that gets this done and have successfully been able to fetch transactions and display them in the console for any account given a valid school portal username and password. I am now using PySimpleGUI to create a clean interface that prompts you to simply input your login information while it attempts to retrieve this information for you. My question from all this is once this GUI is done, is there any possible way to be able to make this an "app" that can be downloaded or sent to friends so that they can use it as well? I do not want to have to send them the python code, packages to install, teach them how to run it in bash, etc. Is there a way to send them this application that they can run that does exactly what I intend for it to do? Sorry if this is unclear, I will try to elaborate if necessary..
Thank you all in advance!!
The PySimpleGUI documentation (http://www.PySimpleGUI.org) explains that one method that's worked well for distributing PySimpleGUI programs to users that do not have Python installed is using pyinstaller to convert your program into an executable. For windows, this is an EXE file. For Mac, it's an "App". There's a heading specifically for Mac users "Creating a Mac App File"
pyinstaller isn't perfect, but for distributing a PySimpleGUI program that's based on tkinter, it's worked pretty well. The least number of other packages involved the better. If your program only uses PySimpleGUI, then it should work well.
Another route is for your users to run your code in the browser. These are tricky technically as you're using sites that emulate tkinter in the browser.
A couple of known to work in-browser solutions:
Trinket - This will enable you to post your code on a website and your users can run the code in their browser. The PySimpleGUI project has a Trinket page at http://Trinket.PySimpleGUI.org
repl.it - Another option for running code in the browser. It's more complex than Trinket, but also supports more packages
These 2 online solutions aren't meant for delivering products. They are teaching aids.
How can I update a python script remotely. I have a program which I would like to share, however it will be frequently updates, therefore I want to be able to remotely update it so that the users do not have to re-install it every day. I have already searched StackOverflow for an answer but I did not find anything I could understand. Any help will be mentioned in the projects credit!
A very good solution would be to build a web app. You can use django, bottle or flask for example.
Your users just connect to your url with a browser. You are in complete control of the code, and can update whenever you want without any action on their part.
They also do not need to install anything in the first place, and browser nowadays provide a lot of flexibility and dynamic content.
I have several small Python libraries that I wrote with stuff that I find myself wanting over and over again. I think most programmers have something similar. I want to use these libraries from a variety of different machines so I've started keeping this stuff in my DropBox. However, I'd like to be able to use my code on machines on which I can't install DropBox or other cloud storage applications, even in portable form. I can just download the files every time one of them changes (DropBox can provide me a URL for each file in my Public folder), which is only a moderate nuisance. But--and I admit this is a longshot--is there a solution out there that will let me tell Python to load a library from my DropBox via http?
BTW, I'd like to add the whole remove folder to my sys.path, but getting a URL for a folder is complicated, so I'm going to try to walk before I run by starting with individual files.
Yes, it's possible. I think you want the combination of two previous questions:
How to download a file in python over HTTP
How to dynamically load a library in python
So your task basically breaks down into writing a little bit of glue code: download the URL via the first bullet, write it to a local file, and then import that file using the second bullet.
So that's how you'd do that.
BUT - please keep in mind that dynamically downloading and executing code has many potential security downfalls. Will you be doing this over a secure connection? Who else has the ability to manipulate that URL? There are a bunch of security issues inherent in downloading and executing code on the fly. I would ask you to consider going about your solution in a different way, but I'm giving you the answer you're asking for.
As a simple security check, you can establish a known-good hash for your file, and then refuse to import any file other than one that's on the list of known-good hashes. This makes it a pain to update your modules, but gives you a little bit of extra safety.
Don't use DropBox as a Revision control
Pick a real solution like Git
Setup access to the Git repository on one of your servers
Clone the repository to your worker machines and checkout master
Create a develop branch where you put every change you make
Test the changes and when you consider any of them stable, merge it to master
On your worker machines set up a cron job which periodically pulls from master branch of repository (and possibly restarts some Python processes as importing the same module again won't make Python interpreter aware of changes since imported modules are cached)
Enjoy your automatically updated workers :)
Don't feel shame - it happens that even experienced software developers come up with XY problem
I have picked up python/django just barely a year. Deployment of django site is still a subject that I have many questions about, though I have successfully manual deployed my site. One of my biggest questions around deployment is what measures can I take to safeguard the source code of my apps, including passwords in django's setting.py, from others, especially when my site runs on a virtual hosting provided by some 3rd party. Call me paranoid but the fact that my source code is running on a third-party server, which someone has the privileges to access anything/anywhere on the server, makes me feel uneasy.
There is almost no scenario where your hosting provider would be interested in your source code. The source code of most websites just isn't worth very much.
If you really feel it is necessary to protect your source code, the best thing to do is serve it from a system that you own and control physically and have exclusive access to.
Failing that, there are a few techniques for obfuscating python, the most straightforward of which is to only push .pyc files and not .py files to your production server. However, this is not standard practice with Django because theft of web site source code by hosting providers is not really an extant problem. I do not know whether or not this technique would work with Django specifically.
If someone has the privileges to access anything/anywhere on the server you can't do much, because what you can do others can do too, you can try some way of obfuscation but that will not work. Only solution is NOT to use such shared repository.
Edit: options
Keep working with shared repository if your data is not very sensitive
Use dedicated hosting from companies like rack-space etc
Use AWS to run your own instance
Use google-app-engine server but that may require a DB change
Run your own server (most secure)
While your source code's probably fine where it is, I'd recommend not storing your configuration passwords in plaintext, whether the code file is compiled or not. Rather, have a hash of the appropriate password on the server, have the server generate a hash of the password submitted during login and compare those instead. Standard security practice.
Then again I could just be talking out my rear end since I haven't fussed about with Django yet.
Protecting source code is not that important IMHO. I would just deploy compiled files and not worry too much about it.
Protecting your config (specially passwords) is indeed important. Temia's point is good.
I just start to learn python and web2py. Because of web2py's web interface development, I am wondering how can web2py work with svn? If a team wants to build a website,how do they work together? How to control the iteration of source code?
Yes, it works fine with svn, hg, whatever source control you need to use.
Sometimes people think that you have to code with web2py's admin interface, but that really is not the case, once you realize it can be edited with any of your regular tools, you will see that you don't have to treat it any differently when it comes to source control either.
If you use the source version of web2py, you'll have a single folder on disk that contains an entire web2py application server (that in turn contains your 'application' folders). Just check that whole folder into source control.
Now, on the machine that is running web2py, you can make changes either with web2py's web interface, or by just editing the python files directly with another editor (I use WingIDE for example). You'll have the normal svn update/modify/commit cycle at this point.
If multiple people are editing code using web2py's admin interface, all of their changes will be made on the machine running web2py... just periodically do a commit from that system and you are all set.
Using the admin interface to modify the source code is convenient, but for for bigger changes, each member of your team should have their own local copy of the svn branch. They make changes to their local files and commit them. Then from the server running web2py, just do an 'svn up' to get modifications from the rest of the team.