Giter Club home page Giter Club logo

untrusted-python's Introduction

๐Ÿ“ฆ untrusted-python

My blog post: Running Untrusted Python Code


This is a sandbox for running untrusted Python code. Until it's been audited by someone with some kind of security authority, you should consider it to be insecure.

With that in mind, I welcome any bug reports, sandbox escapes, etc. โ€“ please raise an issue or email/DM me.

You can try and break out of it here: https://untrusted-python.vercel.app

Development

Fly.io backend

Install flyctl.

cd sandbox
fly launch

Follow the instructions in your terminal. Make a note of the URL โ€“ it will look like https://foo.fly.dev. Copy it (without a trailing slash), and add it to web/.env as API.

Next.js frontend

npm i
npm run dev

Follow the instructions in your terminal.

Deploy

web is a Next.js app that you can deploy to Vercel. Set the root directory of the project to web.

sandbox is a Fly.io app that has fly.toml file ready to use. Add the Fly.io URL as a Vercel environment variable as API (without a trailing slash).

untrusted-python's People

Contributors

healeycodes avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

dafang

untrusted-python's Issues

Couldn't import some standard Python libs because of the permission issue

Hi @healeycodes , firstly I'd like to say thanks for the great idea and making it work. But it there seems to be an issue what we can't import several standard libraries. For example:

โ””โ”€> curl -X POST https://untrusted-python.fly.dev/api/exec \
-H "Content-Type: application/json" \
-d '{"code":"import datetime"}'

Traceback (most recent call last):
  File "/app/./sandbox.py", line 41, in <module>
  File "<string>", line 1, in <module>
ModuleNotFoundError: No module named 'datetime'

After checking around I can see the issue is because some permissions are missing. After disabled the drop_perms() function, it works well. Like this:

if __name__ == "__main__":
    code = sys.argv[1]
    set_mem_limit()
    # drop_perms()
    exec(code)

Then it works:

โ””โ”€> curl -X POST http://localhost:3000/api/exec \
-H "Content-Type: application/json" \
-d '{"code":"import datetime\nprint(1)"}'
1

So ideally we should improve this function to let all default Python's functionality work well.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.