[R] (no subject)

Ivan Krylov kry|ov@r00t @end|ng |rom gm@||@com
Wed Oct 6 11:53:03 CEST 2021


On Tue, 5 Oct 2021 22:20:33 +0000
Thomas Subia <thomas.subia using fmindustries.com> wrote:

> Some co-workers are wondering about how secure R software is.

I'm afraid that this question is too hard to answer without their
threat model. Secure against what, specifically?

> Is there any documentation on this which I can forward to them?

Well, R is a programming language. It's Turing-complete (see halting
problem), will happily run machine code from shared objects (see
dyn.load, .C, .Call), and install.packages() is there to download
third-party code from the Internet. But that's the case with all
programming languages I know that are used for statistics, which aren't
supposed to run untrusted code.

Maybe you're concerned about data input/output instead. Functions are
first-class objects, so it's possible to save and load them from data
files. Not sure if there's a way to run code on data load, but you can
do it on print() (e.g. print.nls(x) calling x$m$getAllPars()), so don't
load()/readRDS() untrusted data files. There are known bugs in the
deserialiser, too: https://bugs.r-project.org/show_bug.cgi?id=16034

Don't know if it's documented anywhere, though. What are your
co-workers concerned about?

-- 
Best regards,
Ivan



More information about the R-help mailing list