R8 GH Script component - safety enhancement request

I downloaded a .gh file from the forum to look into a user’s problem. On opening the file, a Python Script component downloaded a heck of a lot of modules, I presume because of the # requirements, # r: and # venv statements it contains. It occurs to me that a malicious actor - or just an incompetent - could install nasties this way. I normally open a source file and take a look before executing it, but I don’t appear to get this opportunity in the Script component.

I tried restarting and disabling the solver before opening the .gh file, but the downloads still happened.

Could we change this behaviour so that when the solver is disabled, a Python script (or any other language for that matter) does not download anything, thereby giving people the chance to inspect the script before anything happens? Or introduce some other safety net - I’m not fussed about the “how”.

TIA
Jeremy

3 Likes

Indeed, asking before downloading anything would be a minimum requirement (as per the package manager)!

2 Likes

@jeremy5 Which Rhino version are you using? There has been a lot of improvements to the package install process and this is fixed in Rhino 8.6 and later. Script component doesn’t try to build the script if the solver is disabled.

Sorry, I should have included that info. I’m on 8.6.24086.11001, 2024-03-26.

I just tested my 8.6.24086.23001, 2024-03-26 and it does not install packages if grasshopper solver is disabled. Note the python script component does not show a progress bar underneath when I open the file.

Would you mind verifying this grasshopper file does not install packages on yours?

  • Delete the default folder in %HOMEPATH%\.rhinocode\py39-rh8\site-envs
  • Restart Rhino, GH, and disable solver and open this file
  • The new default folder under %HOMEPATH%\.rhinocode\py39-rh8\site-envs should not contain any packages until you have enabled the solver again.

I did that and nothing appeared to be downloaded. But… the previously downloaded packages are still in site-packages. What I’d like to do is clear anything dated today from that folder and see what happens then. Is it safe to do that? Are there other folders where I should do the same thing?

Hi,

I uninstalled Rhino, made sure the .rhinocode folders were gone, reinstalled it and ran grasshopper as a clean install.

With the solver disabled, loading the .gh file does not cause any downloads, but double clicking on the script component in order to see the script does:

Regards
Jeremy

1 Like

@jeremy5 Thanks for checking. I logged the issue here and will improve

RH-81321 Opening GH script while solver is disabled still installs packages

1 Like