1

# Context -- skip if you want to get right to the point
I've been building a rather complex web application in Python (Bottle/gevent/MongoDB). It is a RSVP system which allows several independent front-end instances with registration forms als well as back-end access with granular user permissions (those users are our clients). I now need to implement a flexible map-reduce engine to collect statistics on the registration data. A one-size-fits-all solution is impossible since the data gathered varies from instance to instance. I also want to keep this open for our more technically inclined clients.
# End of context

So I need to execute arbitrary strings of code (some kind of ad-hoc plugin - language doesn't matter) entered through a web interface. I've already learned that it's virtually impossible to properly sandbox Python, so that's no option.

As of now I've looked into Lua and found Lupa, Lunatic Python and Lupy, but all three of them allow access to parts of the Python runtime.

There's also PyExecJS and its various runtimes (V8, Node, SpiderMonkey), but I have no idea whether it poses any security risks.

Questions:
1. Does anyone know of another (more fitting) option?
2. To those familiar with any of the Lua bindings: Is it possible to make them completely safe without too much hassle?
3. To those familiar with PyExecJS: How secure is it? Also, what kind of performance should I expect for, say, calling a short mapping function 1000 times and then iterating over a 1000-item list?

viernullvier
  • 25
  • 1
  • 4
  • Is using python a requirement? What about just using lua and removing the "dangerous" functions from the vm environment? Also this question might be relevant http://stackoverflow.com/questions/17454263/can-lupa-be-used-to-run-untrusted-lua-code-in-python?rq=1. – greatwolf Jan 08 '15 at 23:29
  • @greatwolf The untrusted code could be in any suitable language. Thanks for the link, I couldn't try it though because Lupa still refuses to even install on my development machine. I went the JS way instead which already works, but with major security concerns. – viernullvier Jan 13 '15 at 13:31

2 Answers2

1

Here are a few ways you can run untrusted code:

  • a docker container that runs the code, I would suggest checking codecube.io out, it does exactly what you want and you can learn more about the process here
  • using the libsandbox libraries but at the present time the documentation is pretty bad
  • PyPy’s sandboxing
Andy Marcus
  • 30
  • 2
0

Sneklang is strict subset of Python, that is safely evaluated in your provided scope.

It is limited by scope size, and by number of node evaluation steps and protects from infinite loops, stack overflows, and excessive memory usage.

There is an online sandbox as well: https://sneklang.functup.com

I've made this project specifically because I had the same requirements.

Community
  • 1
  • 1
Tim
  • 1
  • Here are some related discussions as background for evaluating the "safely evaluated" claim: https://stackoverflow.com/a/3243844, https://stackoverflow.com/a/3513475, https://stackoverflow.com/q/35804961, https://softwareengineering.stackexchange.com/a/191628, http://neopythonic.blogspot.com/2009/03/capabilities-for-python.html, https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html – djvg Mar 11 '21 at 10:49