As a little weekend project, I'm trying to build an API to run python code and wondering what might go wrong.
Specifically, is there any way of building such a service that is safe from being hacked? My guess is that letting users input code that will be ran is never save, but I'd love some input on this.
The API can be tested here: https://api-run-code.herokuapp.com/
... and here is the code: https://github.com/nathanganser/api-to-execute-python
For context, I'm thinking about building an app that needs to run user-inputted python code, and since I could not find a service that makes this easy, I just built an MVP of it.
edit: Your specific protection appears to be `__builtins__ = None` and otherwise run in the same interpreter. It is very naive. Here is an example hack that gets to your "secret data":
(from https://nedbatchelder.com/blog/201206/eval_really_is_dangero... but really you could have googled it)