Implemented super simple modular bot.#20
Implemented super simple modular bot.#20vranki wants to merge 2 commits intoshawnanastasio:masterfrom
Conversation
|
Hi, thanks for the contribution. Could you please explain your rationale for dynamically loading modules? While it's a cool trick, I don't really see the real world use case. Also, it seems like a security minefield (even with the regex sanitization). |
|
The idea behind the modules is that developer does not need to change code of the bot to implement new features. The modules don't need to care about internals of the bot, except implementing the required API. Do you have any concrete attack vectors I have missed? The regex should remove all special characters including / and .. so the bot shouldn't be able to load modules from anywhere except the modules directory. Ps. I'm planning to add lifecycle management so that the modules are loaded on startup instead of on command. This allows modules to run in background, for example receiving events from other sources. |
If I'm understanding this correctly, the goal is to be able to use some reference bot code from this repository without having to make a separate copy for any added commands. If that's the case then I'm not convinced that it's even worth it. After all, the API is simple enough where new bots only have to make 3 calls to start using it (construct, add_handler, start_polling). I don't think any value is provided to users by being able to use the reference code in this way.
Frankly, I'm not qualified to do a security analysis on this usage of python's Overall, I'm not opposed to accepting something like this, but I'm still not 100% sure what the use-case here is. Also, I'd like to see more documentation on how to use this (for example, it's not currently explained that the module name must match the name of the command it wishes to implement). |
… has lifecycle mgmt for modules.
2 participants
No tested thoroughly but ready for review.