Open Source Adventures: Episode 58: PyScript: First Impressions

#python #javascript

An alpha version of PyScript just came out, with tagline "Run Python in Your HTML". Let's check it out.

Documentation is mostly all wrong, so there's a lot of steps to get it even running.

Download

The download instructions are:

Download PyScript now
Unzip the downloaded file
Copy the assets you want to use and add the following lines to your html file

There's just one problem, there are no asset files in that zip.

So instead we need to manually download https://pyscript.net/alpha/pyscript.css and https://pyscript.net/alpha/pyscript.js instead.

That however does not work, as it then crashes trying to get pyscript.py, so we need to get https://pyscript.net/alpha/pyscript.py as well.

Local server

I tried just creating a Hello World HTML and opening it as a local file, but that got into instant CORS error.

It's unfortunately more and more common with anything that uses modern web technologies.

Fortunately Python comes with a builtin HTTP server, so we can run python3 -m http.server 8080 and then open http://localhost:8080/hello.html

Hello, World!

OK, with that out of the way, let's write the simplest possible Python script:

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>Hello World</title>
  <link rel="stylesheet" href="./pyscript.css" />
  <script defer src="./pyscript.js"></script>
</head>
<body>
  <py-script>
    print("Hello World")
  </py-script>
</body>
</html>

If opened from local server, it at least no longer gets any errors in the network tab.

What happens then is that about 10% of time I get "Hello World" printed. And 90% of time there's an error in console like this:

JsException: SyntaxError: Failed to execute 'querySelector' on 'Document': '#-49bea52c-4893-412d-cba1-447d24c65f0a' is not a valid selector.

And only a pink bar in the document. I thought it might be some issues with some Chrome Extensions, so I tried it in an incognito window or in Safari, same thing.

It's very clearly some race condition.

Should you use PyScript?

Obviously not yet.

Coming next

All the code is on GitHub.

I want to come back to PyScript at some point, but in the next episode we'll actually take a look at Opal Ruby, which recently got 1.5 release.

Top comments (5)

Mahmoud Harmouch • May 14 '22 • Edited

The other day, I was tinkering around that library hunting for security vulns, turns out that the majority of os methods are blocked by default. So, I was attempting the following:

with open("/lib/python3.10/hacky_module.py", "wt") as f:
    f.write("import os;command = "ls -la";print(os.system(command))")

import hacky_module

Which gives the following output:

-1

Meaning that an error was thrown. However, you can run the following:

import os
print(os.listdir('/'))

which returns:

['tmp', 'home', 'dev', 'proc', 'lib']

Same for the subprocess module:

import subprocess
command = "ls -la"

list_dirs = subprocess.run(["bash", "-c", command],
    stdout=subprocess.PIPE, stderr=subprocess.PIPE,
    check=True,
    text=True)

print(list_dirs.stdout)

Which throws an error when executing it.

So, the framework is pretty secure. Other than the race condition, the only downside is being ridiculously slow. I am not sure whether or not it is a problem tied to the framework or the language itself: python. Most likely the latter. I will be investigating this over the weekend.

Tomasz Wegrzanowski • May 14 '22

It runs in WASM so any vulnerabilities you'd get would be browser vulnerabilities, right?
There's probably some fake emulated "file system", wasm running in the browser has no access to platform files.