
Show HN: bash.rocks – A bash interpreter in the browser - wsxiaoys
https://bash.rocks/
======
wsxiaoys
Hey HN, bash.rock is my latest side project, a bash interpreter in cloud, it
comes with many utilities like curl, Python, ImageMagick, jq, etc.

Below are some snippet I created:

Generate random corporate bullshit:
[https://bash.rocks/w3nEB9](https://bash.rocks/w3nEB9)

Compress png to webp: [https://bash.rocks/YBbaJG](https://bash.rocks/YBbaJG)

Generate gif with curl, jq and ImageMagick:
[https://bash.rocks/NBXQ3w](https://bash.rocks/NBXQ3w)

Any suggestions / feedback welcome! :)

\---

A more interesting feature I haven't fully finished is to turn your random
bash snippet into an HTTP web service, like
[https://bash.rocks/Gxlg31/3/api?url=i.imgur.com/1uYroRF.gif](https://bash.rocks/Gxlg31/3/api?url=i.imgur.com/1uYroRF.gif)

which makes an obvious _premium_ feature in future :p

~~~
detaro
Very cool! The image integration is especially neat.

What does the backend look like?

~~~
wsxiaoys
It's a Cloud Function running in Cloud, with customized node package
dependencies (so I could pull stuff like jq, webp in).

Thanks to a fully managed container environment, I don't have to worry too
much about security stuff.

------
TylerJewell
Hey - founder & CEO of Codenvy, also project lead for Eclipse Che - a
workspace server and cloud IDE. We have learned a little bit about what it
takes to run environments in the cloud and then present development
experiences for languages in the browser.

Congrats to @wsxiaoys for launching a new project. Anyone who takes the time
to launch projects are doing a labor of love and commitment, so that deserves
credit and recognition!

Some observations that you may want to think about: a) The time to execute a
simple bash command "echo 'hi'" was a few seconds. This tells me that you are
probably spinning up a new Docker container on-demand after the user says
"run". This will not really make the product usable over time. You'll
eventually find that people will expect their environment to be loaded and
running the moment their end user session has started. This way you can use
Docker exec or other mechanisms (in Che we replaced Docker exec with a custom
agent that runs inside the container that gives us fine-grained control over
how processes are executed within the container). When a user says "run" you
can then guarantee instant execution and then control how results are
streamed.

b) I wrote most of the CLI for Eclipse Che and Codenvy (in bash!!). So learned
that a few project / framework concepts are essential. In particular a project
structure that allows you to source different files / or libraries will become
important. Also, BATS for unit testing is essential to anyone maintaining bash
scripts. Few people use BATS, but it's a life saver, so having automatic
structuring of BATS tests as users creates bash files would be awesome.

c) Have you seen the language server protocol? No one has built a language
server yet for Bash. It would be awesome to have symbol lookup, referencing,
and auto-complete services within your editor. You could use a Monaco editor
with a bash language server to give contextualized intelligence to your bash
program for the developer. You could even go so far as to offer line by line
debugging with it :)

Thanks for your contributions to the community!

------
polygot
Seems like a cool idea, but clicking on this link will immediately download a
file to your computer: [https://bash.rocks/KJKEk3](https://bash.rocks/KJKEk3)

(it's just a snippet from /dev/urandom, but it looks like it could be any
arbitrary file that's within the size limits)

For example, [https://bash.rocks/jJg193](https://bash.rocks/jJg193) shows that
it is possible to download any arbitrary data with no prompt (here it's the
eicar test file)

EDIT: where can I contact the author? I found a very bad security bug; I can
see what commands other users are running

~~~
wsxiaoys
Right now it is simply loading stdout / stderr with iframe, sometimes content
will be interpreted as binary flow so browser will tries to download it.

I'll try fix this in next iteration. (and i just fixed the /tmp :)

------
fiatjaf
So it's not bash, but a full Linux (?) environment with bash as the shell and
some programs installed by default.

------
tannhaeuser
For node.js, there's also cash [1], shelljs [2], and an initial bash syntax
parser [3], which actually implement POSIX shell subsets in Javascript (unlike
this project, which I understand calls out to a server-side bash process).
Though cash and shelljs work synchronously only, which make them usable for
build scripts etc. but not web services.

[1]: [https://github.com/dthree/cash](https://github.com/dthree/cash)

[2]: [https://github.com/shelljs/shelljs](https://github.com/shelljs/shelljs)

[3]: [https://github.com/dthree/vorpal](https://github.com/dthree/vorpal)

------
comex
I was hoping for WebAssembly - that is, a bash interpreter really running in
the browser. Of course, that would be a lot more ambitious, since unless you
wanted to be limited to bash builtins, you’d also need some kind of kernel and
the ability to run other processes…

(Yes, I’ve seen jslinux.)

------
ams6110
Neat, but what is the practical use? I already have a shell on my computer.

~~~
wsxiaoys
One feature I'm planning is to let you deploy your snippet as an service, like
[https://bash.rocks/Gxlg31/3/api?url=i.imgur.com/1uYroRF.gif](https://bash.rocks/Gxlg31/3/api?url=i.imgur.com/1uYroRF.gif)

With this and maybe a crontab enhance, this could be somehow useful for daily
automation.

------
fimdomeio
can someone explain me how can this exist without being a security nightmare?
From what I saw it's on a read only filesystem which looks like a great idea
but what else?

~~~
tyingq
It's implemented on Google cloud as a cloud function.

So, for whoever made this, the risk would be mostly about running up their
bill I suppose? Some risk to Google if it's possible to escape their
container, though I suppose they've done a bit of work in that space.

------
e79
Does each session run in an isolated container? Because I wonder, what's
stopping an attacker from exhausting system resources, messing with other
users stuff, etc.?

~~~
cygned
Ah yeah, the fork bomb.

~~~
cyphar
Modern kernels provide the pids cgroup, which specifically protects against
forkbombs. Most container runtimes support it as well.

------
fiatjaf
Can we get fish instead of bash?

