1

Using Deno you can execute WASM on a server. WASM is sandboxed for the user's safety. From my understanding, WASM code cannot do HTTP requests or modify the DOM.

Is safety guaranteed server side too? I'm looking to run arbitrary Python code from user input on servers using pyodide but was concerned that I have missed some important security flaw.

user82395214
  • 829
  • 14
  • 37
  • With pyodide in the browser you can both modify DOM, and make HTTP requests via JS. So I imagine the same would apply when run on the server. – rth Jan 29 '21 at 08:56
  • As for making HTTP calls, I have never used pyodide, but apparently you can use both the XMLHttpRequest and the Fetch web API directly from Python: https://stackoverflow.com/a/64804258/3036129 – jackdbd Jan 31 '21 at 14:34

1 Answers1

1

Using Deno you can run WebAssembly modules on a server because the Deno wasi module provides an implementation of WASI, the WebAssembly system interface. Using Deno is just one way of running wasm modules on a server. You could choose between many other implementations of WASI, like the wasi module in Node.js, wasmtime, lucet, wasmer, etc.

Code [running] outside of a browser needs a way to talk to the system — a system interface.

As for your security concerns, keep in mind that your WebAssembly code runs in a sandboxed environment. It's not your host system that executes directly the code in your wasm module. It's the wasm runtime — that implements the WASI interface — that runs it. And as far as I know the only way for your code to produce side effects (e.g. perform a HTTP call, access files) is to go through appropriate APIs defined by WASI.

jackdbd
  • 4,583
  • 3
  • 26
  • 36