During python runtime, can python inspect rust types wrapped by #[pyclass]?

[jymchng]

An example:

#[pyclass ]
struct PySecretString {
    rust_secret_string: String
}

The PySecretString does not participated in garbage collector protocol as gc is not passed into the attribute macro.

Let's assume the neccessary is done to have this #[pyclass ] imported in a python script. Assume also no methods of PySecretString returns the bare rust_secret_string except for one that returns an encrypted string of it. I am well-aware that inspect.getmembers, vars, dir and even gc.getreferers are unable to get a handle on rust_secret_string of an instance of PySecretString.

Are there some fundamental guarantees that python runtime can never access the data of rust_secret_string of an instance of PySecretString?

Thank you.

[adamreichold]

There are no security boundaries between Python code and native extensions, c.f. ctypes.string_at which can be used to read arbitrary memory.

[jymchng]

That said, how would one explore via the python runtime to get a valid address to the rust_secret_string field?

[birkenfeld]

id(obj) gives you the address of the PyObject struct. It then just remains to find the offset to the location of the string pointer.

[jymchng]

Thanks for your answer, yeah I read about alignment and the related concepts in the Rust for Rustacean book.

[jymchng]

But nonetheless, using custom types implemented in Rust does have the effect of making applications written in python more secured since it can make certain programming mistakes more forgiving.

[adamreichold]

(As side remark, I think GitHub's dicussions feature would be much more suitable to such exploratory questions which do not describe a defect or enhancement proposal.)