9

I've been thinking for a while about the idea of allowing user to inject code on website and run it on a web server. It's not a new idea - many websites allow users to "test" their code online - such as http://ideone.com/.

For example: Let's say that we have a form containing <textarea> element in which that user enters his piece of code and then submits it. Server reads POST data, saves as PHP file and require()s it while being surrounded by ob_*() output buffering handlers. Captured output is presented to end user.

My question is: how to do it properly? Things that we should take into account [and possible solutions]:

  • security, user is not allowed to do anything evil,
  • stability, user is not allowed to kill webserver submitting while(true){},
  • performance, server returns answer in an acceptable time,
  • control, user can do anything that matches previous points.

I would prefer PHP-oriented answers, but general approach is also welcome. Thank you in advance.

Tomasz Kowalczyk
  • 10,472
  • 6
  • 52
  • 68
  • +1 for an interesting topic, I would like to know such thing also, I`ll keep monitoring the topic – sikas May 15 '11 at 03:37
  • *(related)* [Is there a PHP Sandbox?](http://stackoverflow.com/questions/4616159/is-there-a-php-sandbox-something-like-jsfiddle-is-to-js) – Gordon May 15 '11 at 08:26

2 Answers2

7

I would think about this problem one level higher, above and outside of the web server. Have a very unprivileged, jailed, chroot'ed standalone process for running these uploaded PHP scripts, then it doesn't matter what PHP functions are enabled or not, they will fail based on permissions and lack of access.

Have a parent process that monitors how long the above mentioned "worker" process has been running, if its been too long, kill it, and report back a timeout error to the end user.

Obviously there are many implementation details to work out as to how to run this system asynchronously outside of the browser request, but I think it would provide a pretty secure way to run your untrusted PHP scripts.

Chris Cherry
  • 28,118
  • 6
  • 68
  • 71
  • 1
    I was thinking along the same lines, except with virtualization instead of chroot-jails. – Mike Baranczak May 15 '11 at 03:50
  • That's very interesting, but I think that "asynchronousness" of that solution is quite hard to implement. We could still do that through an AJAX callm which would be an easy task, but protecting it from DDoS attacks issue arises. – Tomasz Kowalczyk May 15 '11 at 03:50
  • Ok, I see no more answers, so yours is the best one. I'll be very grateful, if someone can answer this one: http://stackoverflow.com/questions/6010401/can-someone-compile-php-runkit-dll-extension-for-me but for now, I'm accepting. – Tomasz Kowalczyk May 17 '11 at 13:13
0

Wouldn't disabling functions in your server's ini file limit some of the functions of the application itself?

I think you have to do some hardcore sanitization on the POST data and strip "illegal" code there. I think doing that with the addition of the other methods you describe might make it work.

Just remember. Sanitize the everloving daylight out of that POST data.

Nic
  • 13,287
  • 7
  • 40
  • 42
  • Disabling functions is not a solution in my opinion. I would rather "whitelist" some of them, and php.ini don't have allowed_functions directive. And even if I could do that, the "stability" requirement is still an issue. – Tomasz Kowalczyk May 15 '11 at 03:46
  • Disabling functions won't work well. I've seen servers where they sandbox your code, and destroy the sandbox after 15 seconds. – Pwnna May 15 '11 at 03:50