Error Messages/40826



Release:

4.6  •  5.0  •  5.1  •  5.2  •  5.3  •  5.4  •  6.0


Error Message Examples

 You cannot evaluate a call to RunConsoleProcess directly from an input variable.
 Variable CallProcess has an input node associated with it, so you cannot enter a
 call to RunConsoleProcess directly into the input of CallProcess.

 Evaluation of Function DbWrite is not allowed from within an input variable.

Cause

You cannot call the function RunConsoleProcess from a variable with an input node.

You cannot call the function RunConsoleProcess by entering it into an input of a variable.

This limitation is imposed for security reasons. You don't want users of a model to be able to run arbitrary processes on your computer (these would have to be users of Analytica Power Player). Hence, Analytica doesn't allow calls to RunConsoleProcess to be evaluated directly from a node that a Player/Power Player user can change.

If you have an external process that you want your model to run when being used by an end-user, then make sure it is in a variable that does not have an input node.

You should always be somewhat security conscious. You could design a model that allows a Power Player end user to run arbitrary processes. For example:

Variable cmd { An variable with an input }
Variable RunIt := RunConsoleProcess(cmd,...)

This would be highly non-recommended. You should keep control over what the cmd is being executed inside your model.

Remedies

Remove the input node for the object that calls the RunConsoleProcess function.

Changing Security Policy

new to Analytica 4.4

For each built-in Analytica function, the policy for allowing or disallowing calls to the function can be configured to any of the following:

  • Always allow
  • Disallow from input variables
  • Disallow (also) from UDFs that are called from input variables
  • Disable always

The one exception to this is RunConsoleProcess, which cannot be lowered more liberally than "Disallow from input variables". The security policy here is specific to your computer, not to the model you are running. Functions like DbWrite could be susceptible to SQL injection attacks, so these are restricted in input nodes in general. On a web server that allows models to be uploaded, you may want to disable RunConsoleProcess in all cases from ADE.

These security policies are configured in the Analytica.ini file. This file is located in the Analytica or ADE install directory.

If you install Analytica or ADE as a system admin, then you can also configure policies that differ by user account. In the ADE case, you could, for example, have the account that ADE is run as from a web page configured with a different policy than ADE from your user account. To do this, you need to add a string value named Preferences to the HKCU/Software/Lumina Decision Systems/ADE/5.4{{Release||5.4|x64} hive. For the value, enter a path to another Preference.ini file that you create. Then in that file, modify the security policy as you want it for that user, e.g.:

Att_whenDisallowed RunConsoleProcess: 4 { Always }

The possible values for Att_whenDisallowed are:

1 = Disallow from input variables, but allow from UDFs called by input variables.
3 = Disallow from input variables and from UDFs called from input variables
4 = Always disallow

If you are extremely security conscious, then you may want to restrict functions that allow users to read the contents of files on your computer. Generally user would need to know where to look for a file to find it, but you may want to remove that theoretical possibility. To do this, consider restricting: ReadTextFile, SpreadsheetOpen, and DbQuery.

See Also

Comments


You are not allowed to post comments.