
Show HN: GoBox – GO sandbox to run untrusted code - nishit_nm
https://github.com/nishitm/goBox
======
Stammon
I'm afraid this tool is very easy to circumvent. It only checks the first
argument to a syscall for containing a forbidden path.

But for example openAt gets it's path as the second argument.

[http://man7.org/linux/man-
pages/man2/openat.2.html](http://man7.org/linux/man-pages/man2/openat.2.html)

This tool is a nice demo for how to use ptrace in golang. BUT PLEASE CHECK THE
CODE BEFORE USING THIS FOR ANYTHING SECURITY RELATED

~~~
Stammon
Edit: OpenAt is not a valid counterexample since the program checks file
descriptors. But e.g renameAt[0] allows to overwrite protected files. There
are numerous other options to circumvent that tool too.

[0]: [http://man7.org/linux/man-
pages/man2/renameat.2.html](http://man7.org/linux/man-
pages/man2/renameat.2.html)

