June 7, 2017

Security: the dangers of copying and pasting R code

Filed under: Computing, R — Tags: — csgillespie @ 10:11 am

Most of the time when we stumble across a code snippet online, we often blindly copy and paste it into the R console. I suspect almost everyone does this. After all, what’s the harm? Consider this simple piece of R code that performs simple linear regression

# Generate data
x = rnorm(10)
y = rnorm(10)
message(“All your base are belong to us.”)
# Simple linear regression 
m = lm(y ~ x)

Now highlight the above piece of R code and copy and paste it into your console; look carefully at what you’ve pasted. A new line has magically appeared.

# Generate data
x = rnorm(10)
y = rnorm(10)
message("All your base are belong to us.")
# Simple linear regression
m = lm(y ~ x)

Due to some sneaky CSS magic, I was able to hide the message() statement. If I was evil, I could have changed this to a system, source, or any other command.

The CSS code simply sets the message() function to the background color, changes the font size and makes it un-selectable (see this post for details).

So remember, be careful with your copy and pasting!



  1. Saw your article from r-bloggers. Good stuff there!

    Comment by Nam — June 7, 2017 @ 4:42 pm

  2. Ok, important! Is it possible, for instance, to format the hard drive with ‘system’?


    Comment by anspiess — June 7, 2017 @ 5:21 pm

    • Only if you are running in admin. But you could easily delete all user files

      Comment by csgillespie — June 7, 2017 @ 9:22 pm

  3. So, always copypaste into a text editor. Done and done. BTW, if you want a real-world example of ubiquitous malware, hop on over to MATLAB. People for some inexplicable reason start their scripts with “clf, clear all” , and ifyou don’t remove those lines, you may lose a ton of objects in your working environment.

    Comment by Carl Witthoft — June 7, 2017 @ 5:35 pm

  4. Seems like a fun idea, but you definitely want to use Unicode characters. I get the following when pasted:

    message(“All your base are belong to us.”)
    Error: unexpected input in “message(�”

    Comment by Phil — June 7, 2017 @ 5:41 pm

  5. CSS magic less magical in R-bloggers; no magic in RSS reader.

    Comment by Pitixx — June 7, 2017 @ 5:52 pm

    • True. Although I suspect it won’t take much to make it work under R bloggers

      Comment by csgillespie — June 7, 2017 @ 9:23 pm

  6. … or never use the R console directly, and use a script in an editor (RStudio, Emacs, …)!

    Comment by Mathieu — June 7, 2017 @ 6:01 pm

  7. fairly often I have heard people in industry and gov say using R is a security risk. this is the 1st time I have ever seen demonstration of it, and it only applies to pasting to very particular conditions. do you know of any other security issues with R?

    Comment by lo.brow.R — June 8, 2017 @ 1:01 pm

    • I don’t think there are any inherent security risks particular to R, just the usual things you need to be careful of, e.g. where you download base R.

      Comment by csgillespie — June 8, 2017 @ 1:47 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: