Import order affects whether code is sandboxed.

[nedbat]

This code will run outside of a sandbox:

  import codejail.jail_code
  import codejail.safe_exec
  codejail.jail_code.configure('python', '/home/pmitros/jail/jailbox/bin/python')
  codejail.safe_exec.safe_exec("import os\nos.system('ls /etc')", {})

This code will run in a sandbox:

  import codejail.jail_code
  codejail.jail_code.configure('python', '/home/pmitros/jail/jailbox/bin/python')
  import codejail.safe_exec
  codejail.safe_exec.safe_exec("import os\nos.system('ls /etc')", {})

The only difference is the order of the calls.

The code which specifically breaks is:

UNSAFE = ALWAYS_BE_UNSAFE or not jail_code.is_configured("python")

This runs on import, and if UNSAFE is set, it overrides safe_exec with an unsafe version. The code attempts to log a warning, but fails unless loggers are configured the edX way (simply stating 'No handlers could be found for logger "codejail.safe_exec"').

[timmc-edx]

It would likely be better to have the safe_exec function decide at call-time whether to branch to not_safe_exec, as this would allow service startup to occur in any order (as long as codejail.jail_code.configure is called at some point before safe_exec starts being called).

This change could be made as part of an unsafe-mode deprecation, which would likely entail requiring an explicit opt-in for unsafe-exec (only used for unit tests) rather than defaulting to it.