Hello,
over the past couple of years being an active member in this forum, I encountered several attempts to run malicious code hidden inside a uploaded Grasshopper definition.
Downloading a definition in this forum is always a high potential security risk. This is because, by default, a definition gets immediately executed in Grasshopper.
A simple practice I always do for years now, is to disable the automatic computation before loading a file.
And then using the search function to spot script components …
So far so bad…
The problem with that is it can A. easily being tricked using user object or cluster and B. its a manual process with a high chance of missing something.
Now, the question is how can you scan a definition for script components without running the solver?
There are two options, creating a plugin or using the Rhinos Python Script Editor. The problem with the first one is its lack of portability. So I decided to create a Python script which gets executed from Rhino (not GH):
import Rhino
import Grasshopper as gh
import Grasshopper.Kernel.Special as ks
import System.Reflection as sr
import clr
def SearchScriptComponents(document):
pyCount = 0
csCount = 0
vbCount = 0
clCount = 0
for docObj in document.Objects:
if type(docObj) is ks.GH_Cluster:
clCount += 1
subDoc = CheckCluster(docObj,ks.GH_Cluster)
SearchScriptComponents(subDoc)
continue
elif type(docObj) is ks.GH_Cluster_OBSOLETE:
clCount += 1
subDoc = CheckCluster(docObj,ks.GH_Cluster_OBSOLETE)
SearchScriptComponents(subDoc)
continue
typeName = docObj.ToString()
if typeName.Contains("ython"):
pyCount += 1
elif typeName.Contains("CSNET"):
csCount += 1
elif typeName.Contains("VBNET"):
vbCount += 1
print ("WARNING - On Document '%s' detected:\n\n\t %d Python, %d C#, %d VB.Net components and %d cluster\n"
% (document.DisplayName, pyCount, csCount, vbCount, clCount))
def CheckCluster(cluster, clType):
clType = clr.GetClrType(clType)
info = clType.GetField("m_internalDocument",
sr.BindingFlags.NonPublic | sr.BindingFlags.Instance)
if (info == None):
info = clType.GetField("m_doc",
sr.BindingFlags.NonPublic | sr.BindingFlags.Instance)
return info.GetValue(cluster)
document = gh.Instances.ActiveCanvas.Document
SearchScriptComponents(document)
scriptCheck.py (1.6 KB)
Script Detection Test.gh (8.7 KB)
Have fun, and happy new year!