Stop user from running malicious python code in online compilers

Asked Sep 04 '21 at 17:18

Active Sep 06 '21 at 01:41

Viewed 123 times

I am developing an online compiler wherein user can run python code.My requirement is to run that python code on server side with exec. So I researched on how can I completely eliminate some user running malicious python code and most of the sites suggested this -

built-ins disabled
Ptrace and chroot jail
Sandboxing/VM

But if I store a list of blacklisted commands e.g - ["exec","os","subprocess"] and check the string code for presence of any blacklisted commands and discard it on client side as well as server side then doesn't it solve the problem?

edited Sep 06 '21 at 01:41

asked Sep 04 '21 at 17:18

Jay Patel

4

Years ago there was a try to create such a restricted environment from within Python. It failed because of Python's flexibility (only older users may remember the "rexec" and "bastion" modules). Only way which could be safe is to restrict the process on OS level or maybe to use a VM. – Michael Butscher Sep 04 '21 at 17:29
1

First, blacklists are always wrong. Second, `__class__` and `__subclasses__` let you do a *lot*. – Davis Herring Sep 06 '21 at 05:57

Stop user from running malicious python code in online compilers

0 Answers0