goscript
Goscript: Runtime execution of Go code.
Usage
A Goscript is a string that contains valid Go code that can be executed by Goscript.
The script string defines a goscript
function that takes in zero or more
arguments, and returns two; a value and an error.
You then start the script like this:
script := goscript.New(`
import (
"strings"
)
func goscript(name string) (string, error) {
return "Hello " + strings.ToUpper(name), nil
}
`)
defer script.Close()
And make calls to the goscript
function like this:
greeting, err := script.Execute("Mat")
if err != nil {
log.Fatalln(err)
}
log.Println(greeting)
// prints: Hello MAT
Rules
- Every script must provide a
goscript
entry function
- Imports must be included above the
goscript
function if required
- Any special types being used as input or output require
gob.Register
in the script and the calling code
- The
goscript
function must return two values and the second type must be error
- Only execute trusted code; there are no limits to what scripts can do
Security
Running any Go code unsupervised represents a pretty giant security concern for obvious reasons, but that doesn't
nncessarily spell the end for using Goscript in your projects.
One option is to wrap Goscript and provide the goscript
func signature youself, and allow users to only provide the
body. This would also prevent them from controlling the imports too. And with some simple string checking, you'd be able
to protect from injection attacks.
For an example of how this might work, see the example/rename
tool.
How it works
- Goscript generates a mini Go program and executes it with
go run
- The script program communicates with the host program via stdin/stdout
- Values are encoded/decoded via the
encoding/gob
package
- The script program stays running until
Close
is called
Logo by Rob Baines, inspired by Renee French, licensed under a Creative Commons Attribution 4.0 International license.