Replace exec with wasm_exec

[Jflick58]

This replaces the usage of the insecure exec function with a more secure library called wasm_exec TL;DR: Use chroot jails, wasmtime and a standalone Python3.11 WASM interpreter to safely execute arbitrary code

Some questions before I officially submit this pr:

• How critical is it that we support the execution of code containing 3rd-party dependencies? The team behind the wasm interpreter I vendor with the library is working on porting numpy along with some of the c libs needed to enable broader package support.

  • If it is critical, then how critical is it to support Python versions below 3.11? Right now the interpreter does support the use of an existing venv for accessing installed 3rd party deps, but the interpreter is only distributed in 3.11 which means I would either a) have to only support 3.11 b) have a 3rd split in the PythonRepl code base (base, AST, Wasm) or b) try to write some hacky and unpythonic code to try to dynamically create a new 3.11-based venv off of the currently active Python environment.

  • If it is not critical then is it okay if I refactor the test cases to avoid the tests containing numpy and pandas code? Should we also update the docs to reflect that limitation?

I also strongly welcome feedback on the wasm_exec library if there are implementation ideas that make it more functional.

Fixes #1026
Fixes #5294
Fixes #5388
Fixes https://nvd.nist.gov/vuln/detail/CVE-2023-29374

Who can review?

• @hwchase17
• @vowelparrot

[uogbuji]

Just my opinions here. I've not commit bit & am relatively new to langchain.

This replaces the usage of the insecure exec function with a more secure library called wasm_exec TL;DR: Use chroot jails, wasmtime and a standalone Python3.11 WASM interpreter to safely execute arbitrary code

100% needed, and thanks!

Some questions before I officially submit this pr:

• How critical is it that we support the execution of code containing 3rd-party dependencies? The team behind the wasm interpreter I vendor with the library is working on porting numpy along with some of the c libs needed to enable broader package support.

It's better to get this in place first, and then worry about 3rd party deps later. The security concern massively outweighs feature depth.

• If it is critical, then how critical is it to support Python versions below 3.11? Right now the interpreter does support the use of an existing venv for accessing installed 3rd party deps, but the interpreter is only distributed in 3.11 which means I would either a) have to only support 3.11 b) have a 3rd split in the PythonRepl code base (base, AST, Wasm) or b) try to write some hacky and unpythonic code to try to dynamically create a new 3.11-based venv off of the currently active Python environment.

I also think it's not worth a lot of effort to support power Python versions. (b) & (c) feel like maintenance burdens, and simplicity is important in security-minded components.

[Jflick58]

@hwchase17 @vowelparrot would love some feedback on this PR. I recognize some of the tests are still failing, but I think that resolution is dependent upon answers to the questions I posed above. Thanks!

[Jflick58]

@hwchase17 @vowelparrot bumping again, hoping to get your thoughts...

[hwchase17]

this should not be required dependeyncy, lets make optional

[Jflick58]

This seems dependent on the conversation below. Given that this is a big reason for the CVE that are flagging Langchain in different security scans, I'd advocate (for now) to make it a required dependency.

[hwchase17]

i would probably bias towards a separate util tbh. since this introduces a new dependency

[Jflick58]

I think this also goes back to the fundamental question of whether this should be an add-in or replace the default exec functionality. If it's the default replacement, then seems like leveraging the python util makes sense.

[hwchase17]

why?

[uogbuji]

The goal of this PR is to offer better security in use of Python REPL, and passing in globals() looks like a massive security hole to me. I see a lot of code out there where people expose e.g. their API keys and other secrets as globals in memory space, and those could be a prompt injection target. The rest of your comments, @hwchase17 seem to be towards making a higher security level optional, and I'd reluctantly accept that (for me, higher security should be the default), but if the user does opt for a tighter ship, then that _globals=None is IMO an important part of the picture.

[Jflick58]

agreed with @uogbuji but also right now the Wasm interpreter doesn't supported globals that can't be represented as a type that can be easily converted to string. Often the result of the globals function call are object types that can't be converted to string.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
langchain	⬜️ Ignored (Inspect)	Visit Preview		Nov 1, 2023 11:18pm

[Jflick58]

@hwchase17 can you review the responses to the comments and let me know how you want to proceed?

[timxieICN]

any update on this feature/PR? Thanks.

[hwchase17]

sorry for the delay here. high level thoughts:

1. We almost certainly don't want to introduce this as a dependency for the main project
2. We want to support as flexible of python running for prototyping purposes as possible
3. We do not want people to be running this in production

I would suggest the following changes:

1. We will move the current python tools and anything that depends on them into langchain.experimental and make that a separate package. This should remove CVEs from core langchain, while also hopefullying making it clear its experimental, and also allowing for prototyping
2. I would encourage the creation of a separate langchain_python or the like respository where that uses wasm by default. we'd be happy to support this in a variety of ways (help setting up, help publicizing, help maintaining), but i think we'd prefer it to be a separate repository

thoughts?

[Jflick58]

Responded more in #8092

As far as this goes, I'll probably take these changes and implement as a separate package. How would that jive with the story of langchain.experimental though? Seems confusing to me to have an unsafe and safe way of doing things, both as external packages and possibly publicized by LangChain.

[leo-gan]

@Jflick58 Hi , could you, please, resolve the merging issues? After that ping me and I push this PR for the review. Thanks!

[Jflick58]

@leo-gan I thought @hwchase17 decided to move the repl functionality to langchain-experimental to avoid including this security issue in the main langchain install? Happy to work on this PR to include the wasm-exec functionality in the main package, but wanted to confirm. Thanks!

[leo-gan]

@Jflick58 If this change suits experimental better, is it possible to start this change again as a new PR in experimental? If you want to do this, please, close this PR.

[EliahKagan]

Would it have to be a new PR? Given that langchain and langchain-experimental are both from this repository, could this PR be modified accordingly?

[leo-gan]

It is up to you. This PR could be OK 👍

[ruan-azevedo]

Hey guys, any updates for this PR?

[Jflick58]

@RuanAzevedo This is still on my to-do list. I'm traveling for work this week but hoping to pick it back up next week.

[nfcampos]

the timeout branch also needs to be updated to pass self.wasm as arg

[Jflick58]

Why would we pass self.wasm as an arg if it has access to the wasm class attribute?

[tabdunabi]

hi @Jflick58, any update on this PR (to resolve this CVE)?

[kenziewritescode]

Is there any update on this?

[hwchase17]

closing as the CVE has been addressed through other means. i am supported of a wasm based exec tool in the future