
Ask HN: Securely run code uploaded by users - tixocloud
Hi,<p>Just wondering if anyone has expertise on how to securely run code uploaded or typed in by users. I am curious about how those online coding environments are able to work securely without the worry of the server environment being attacked.<p>A thought I had was using Docker as a means to run the code.<p>Thanks!
======
ArtWomb
See blog post on golang playground:

[https://blog.golang.org/playground](https://blog.golang.org/playground)

NodeJS also includes a sandbox in its standard lib. And there are more
advanced versions out there:

[https://github.com/patriksimek/vm2](https://github.com/patriksimek/vm2)

Good luck and be careful ;)

~~~
tixocloud
Thanks - is there an equivalent for Python and R?

------
ekr
I was once thinking of implementing such an online judge. Looking through the
existing implementations, most restrict the syscalls available to the
untrusted process, and run in a chroot.

On freebsd, you'd use something like capsicum. On linux, something like
seccomp. Although, nowadays I imagine people would think of just running in a
VM or a container.

~~~
atmosx
Docker has apparmor and secco o profiles. Apart from the default, you can
monitor for syscalls and build a custom, pet app profile. Couple that with
proper mount perms, drop root user, monitor for outgoing connections and write
proper firewall rules (cillium can be used to write bpf rules) and you are
pretty secure. You need time, attention to detail and multiple iterations to
distill the profiles for each layer.

------
tnolet
I wrote a pretty in depth blog on how I run Node.js code for my SaaS at
[https://medium.freecodecamp.org/running-untrusted-
javascript...](https://medium.freecodecamp.org/running-untrusted-javascript-
as-a-saas-is-hard-this-is-how-i-tamed-the-demons-973870f76e1c)

~~~
tixocloud
This is close to perfect from what I had originally envisioned with a Docker
container. Thank you! If you don't mind, may I ask some questions if I do get
stuck? It's my first time working with Docker.

~~~
tnolet
No problem, ask away. My email is info@checklyhq.com

------
dmlittle
I'm not an expert by any means but two things that come to mind are:

1\. Run your users code outside of your secured network. If you have a network
with a VPC, make sure you're not running users code within your VPC.

2\. Restrict network access. If the code doesn't need to talk with the outside
world, don't allow egress traffic.

------
marktangotango
It helps to define the types of possible attacks, there are thee generally;

1\. Accessing and exploiting system resources like file system, network stack
etc. Generally this can be mitigated by providing a method to whitelist api
calls. Jvm security manager has this capability.

2\. Exhaust memory by abusing heap allocation. Some os have the capability to
limit memory usage per process. Some language run times can like jvm maxheap
flag. Note this is per process, not per user request/script.

3\. Hog the cpu, starving other process/requests/scripts. Again there are os
level abilities to limit cpu per process, again not for individual
request/script.

I don’t know of any language/runtime that covers these three areas, if you do,
or if I missed anything, please share!

~~~
ArtWomb
Possibly requiring state-actor level of expertise, but I'd be paranoid about
escaping the container / vm and gaining elevated privileges ;)

Sandbox will in all probability be running alongside application code so the
risk is an attacker gaining complete covert control!

