by jbaviat on 3/19/24, 12:04 PM with 14 comments
by simonw on 3/23/24, 8:11 PM
The problem I most want to solve with this kind of library is execution of untrusted user-provided code in a sandbox.
For that I need three things:
1. Total control over what APIs the user's code can call. I don't want their code being able to access the filesystem, or run subprocesses, or make network calls - not without me explicitly allowing a controlled subset of those things.
2. Memory limits. I need to be able to run code without fear that it will attempt to allocate all available memory on my computer - generally that means I want to be able to set e.g. a 128MB maximum on the amount it can use.
3. Time limits. I don't want someone to be able to paste "while true() {}" into my system and consume an entire CPU thread in an infinite loop. Usually I want to say something like "run this untrusted code and throw an error if it takes more than 1s to run"
My most recent favourite solution to this is the https://pypi.org/project/quickjs/ Python library wrapper around QuickJS, which offers those exact features that I want - memory limits, control over what the code can do, and a robust time limit.
(The one thing it's missing is good documentation, but the https://github.com/PetterS/quickjs/blob/master/test_quickjs.... test suite covers all of those features and is quite readable.)
Can PyMiniRacer handle those requirements as well?
by nickpsecurity on 3/23/24, 8:23 PM
by leontrolski on 3/23/24, 11:05 PM
by rossant on 3/23/24, 9:59 PM
by punnerud on 3/23/24, 8:01 PM