Jupyter Notebooks are created in order to be shared with other users, in many cases over the internet. However, Jupyter Notebooks can execute arbitrary code and generate arbitrary code. This can be a problem if malicious aspects have been placed in a Notebook. The default security mechanisms for Jupyter Notebooks include the following:
- Raw HTML is always sanitized (checked for malicious coding). Further information can be found at https://developers.google.com/caja.
- You cannot run external JavaScript.
- Cell contents (especially HTML and JavaScript) is not trusted (requires user validation to continue).
- The output from any cell is not trusted.
- All other HTML or JavaScript is never trusted, and clearing the output will cause the Notebook to become trusted when saved.
Notebooks can also use a security digest to ensure the correct user is modifying the contents. A digest takes into account the entire contents of the Notebook and a secret (only known by the Notebook creator). This combination ensures that malicious coding is not going to be added to a Notebook.
You can add a security digest to a Notebook by using the following command:
~/.jupyter/profile_default/security/notebook_secret
Here, you replace the notebook_secret
part with your secret.