All geek questions in one place

Providing the user with an isolated version of a programming language

Note. I would appreciate some tag suggestions for this.

I would like to provide my users with a method for programmatically managing data on a server. This could be done using the code editor in the browser, which will be executed later, but does not look like the https://www.onx.ms method.

I would like to avoid writing DSL (a barrier to adoption?) And would prefer that the language the user is writing is either JavaScript-based or Ruby-based.

My obvious concern is security. I understand the concerns that user code might work on the server side, but what steps can I take to eliminate the risk?

Do sites like http://railsforzombies.com irb use irb , or is it much easier?

+6
source share
2 answers

Could you consider Java (or other JVM languages ​​like JRuby, Scala, Clojure, etc.)? If so, there are many possibilities in the JVM to limit the privileges of a stand-alone application. See this other question for more information: How to create a Java sandbox?

+1
source

Google Caja allows you to safely embed Javascript specified by the user on your site, but I think that it can be aimed at running the code on the browser user, and not on your server. I did not use it myself.

I don’t know if there are ready-made solutions for other languages, but I think that the user solution will require recompilation of the interpreter after removing all the API libraries that will allow the user to write to disk, open network connections, fork processes / threads, as well as perform any other operations with dangerous or negative calls. White β€œsafe” libraries are the only approach that could work for this.

It would be safer if you had separate virtual servers for individual users.

+1
source

Source: https://habr.com/ru/post/917853/

More articles:


All Articles