Restrict scripting for cloud sessions
Option to restrict scripting via cloud clients
Operating mode
Cloud Suite
On-Premises
Modules
All
To ensure certain restrictions when accessing local resources of the Cloud Server Hosts via the cloud clients, there is the Restricted Scripting option to restrict scripting, preventing file access and importing non-Vertec modules.
In the Cloud Suite, this option is always activated and cannot be turned off.
Restrict scripting has the following consequences:
- No VB scripts are running. If a VB script is executed, an error is thrown.
- a sandbox has been introduced for Python. Essentially, only modules that are on the whitelist can be imported.
The setting only works for cloud sessions (Cloud Server), not in the Vertec Desktop App.
Python Sandbox
The Python Sandbox is an isolated, secure environment in which Python code can be executed in restricted mode within Vertec.
The following modules can be imported:
- Scripts as modules registered in Vertec as modules
- All Modules supplied by Vertec
All Python modules that are on the whitelist
Whitelist
As of Vertec 6.8.0.17, Vertec supports code in both Python 2 and Python 3 Depend on the Python version, there are few differences in the modules on the whitelist.
| Python 2 | Python 3 |
|---|---|
| datetime | datetime |
| requests | requests |
| math | math |
| string | string |
| re | re |
| json | json |
| _strptime | _strptime |
| email.message | email.message |
| email.parser | email.parser |
| email.generator | email.generator |
| email.mime | email.mime |
| email.mime.base | email.mime.base |
| email.mime.nonmultipart | email.mime.nonmultipart |
| email.mime.multipart | email.mime.multipart |
| email.mime.application | email.mime.application |
| email.mime.audio | email.mime.audio |
| email.mime.image | email.mime.image |
| email.mime.message | email.mime.message |
| email.mime.text | email.mime.text |
| email.header | email.header |
| email.charset | email.encoders |
| email.errors | email.errors |
| email.utils | email.utils |
| email.iterators | email.iterators |
| smtplib | smtplib |
| base64 | base64 |
| difflib | difflib |
| textwrap | textwrap |
| unicodedata | unicodedata |
| stringprep | stringprep |
| calendar | calendar |
| collections | collections |
| heapq | heapq |
| bisect | bisect |
| array | array |
| decimal | decimal |
| fractions | fractions |
| random | random |
| itertools | itertools |
| functools | functools |
| operator | operator |
| hashlib | hashlib |
| hmac | hmac |
| time | time |
| locale | locale |
| traceback | traceback |
| weakref | weakref |
| zeep | zeep |
| TypedJSONDecoder | TypedJSONDecoder |
| isodate_validator | isodate_validator |
| HttpDecorators | HttpDecorators |
| urlparse | urllib.parse |
| HTMLParser | html.parser |
| StringIO | io |
The three (bold) Python 2 modules urlparse, HTMLParser and StringIO are part of the specified modules with Python 3 and must be imported modules accordingly:
| Python 2 | Python 3 |
|---|---|
import urlparse import HTMLParser import StringIO |
from urllib.parse import urlparse from html.parser import HTMLParser from io import StringIO |
In addition, the list of built-in, globally available symbols (features and constants) in restricted mode is limited to:
['False’, 'None’, 'True’, 'abs’, 'basestring’, 'bool’, 'callable’, 'chr’, 'cmp’, 'complex’, 'divmod’, 'float’, 'hash’, 'hex’, 'Id’, 'int’, 'isinstance’, 'issubclass’, 'len’, 'long’, 'oct’, 'ord’, 'pow’, 'range’, 'repr’, 'round’, 'str’, 'tuple’, 'unichr’, 'unicode’, 'xrange’, 'zip’, 'apply’, “dict,” “enumerate,” “filter,” “getattr,” “hasattr,” “iter,” “list,” “HR,” “max,” “min,” “sum,” “all,” “any,” 'ArithmeticError’, 'AssertionError’, 'AttributeError’, 'BaseException’, 'Buffererror’, 'BytesWarning’, 'DeprecationWarning’, 'EOFError’, 'Ellipsis’, 'EnvironmentError’, 'Exception’, 'FloatingPointError’, 'FutureWarning’, 'GeneratorExit’, 'IOError’, 'ImportError’, 'ImportWarning’, 'IndentationError’, 'IndexError’, 'KeyError’, 'KeyboardInterrupt’, 'LookupError’, 'MemoryError’, 'NameError’, 'NotImplemented’, 'NotImplementedError’, 'OSError’, 'OverflowError’, 'PendingDeprecationWarning’, 'ReferenceError’, 'RuntimeError’, 'RuntimeWarning’, 'StandardError’, 'StopIteration’, 'SyntaxError’, 'SyntaxWarning’, 'SystemError’, 'SystemExit’, 'TabError’, 'TypeError’, 'UnboundLocalError’, 'UnicodeDecodeError’, 'UnicodeEncodeError’, 'UnicodeError’, 'UnicodeTranslateError’, 'UnicodeWarning’, 'UserWarning’, 'ValueError’, 'Warning’, 'WindowsError’, 'ZeroDivisionError’, 'bin’, 'buffer’, 'bytearray’, 'bytes’, 'classmethod’, 'coerce’, 'delattr’, 'dir’, 'exec’, 'format’, 'frozenset’, 'help’, 'locals’, 'next’, 'object’, 'property’, 'reduce’, 'reload’, 'reversed’, 'setattr’, 'slice’, 'sorted’, 'staticmethod’, 'super’, 'type’]
Vertec Desktop App
Restrict scripting does not work in the Desktop App. In order to protect it better, the risky modules from Vertec 6.7.0.7 are installed ctypes, win32*(all modules with win32 start), win2kras, winsound and winxpgui in the PythonUnsafe subfolder in the Vertec installation directory. This folder can be deleted if the modules are not in use to better protect the Desktop App.
These modules and the PythonUnsafe folder will no longer be shipped with new installations starting with Vertec 6.8.0.17.