Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sand Boxed Python Execution #23

Open
mdancho84 opened this issue Jan 12, 2025 · 0 comments
Open

Sand Boxed Python Execution #23

mdancho84 opened this issue Jan 12, 2025 · 0 comments
Assignees
@mdancho84
Labels
enhancement New feature or request

Comments

@mdancho84
Copy link
Collaborator

Sandboxing Python code execution involves creating an isolated environment where untrusted code can run without compromising the security of your system. Here are a few methods to achieve this:

  1. RestrictedPython:

• What it is: A library that restricts the Python language features available to the sandboxed code.
• How it works: It provides a safe subset of Python by disabling potentially dangerous features like file system access, system calls, and certain built-in functions.
• Example:

from RestrictedPython import safe_globals, safe_builtins
from RestrictedPython.Eval import compile_restricted

code = """
print("Hello, world!")
"""

byte_code = compile_restricted(code, filename='', mode='exec')
exec(byte_code, safe_globals, safe_builtins)

  1. PyPy Sandbox:

• What it is: A sandboxed version of the PyPy Python interpreter.
• How it works: It isolates the execution of Python code within a separate process and limits its access to system resources.
• Example:

import pypy.interpreter.sandbox

code = """
print("Hello, world!")
"""

pypy.interpreter.sandbox.run_in_sandbox(code)

  1. Docker containers:

• What it is: A technology that allows you to run applications in isolated containers.
• How it works: You can create a Docker container with a minimal Python environment and run untrusted code within it. This provides strong isolation as the container has its own file system and network namespace.
• Example:

Dockerfile

FROM python:3.9-slim

WORKDIR /app

COPY code.py .

CMD ["python", "code.py"]

Build the image

docker build -t my-sandbox .

Run the container

docker run --rm my-sandbox

  1. CodeJail:

• What it is: A library specifically designed for sandboxing Python code.
• How it works: It uses Linux namespaces and AppArmor profiles to restrict the capabilities of the sandboxed process.
• Example:

from codejail.jail import Jail

with Jail() as jail:
jail.execute("print('Hello from the sandbox!')")

Choosing the right method:

• For simple use cases: RestrictedPython is a good starting point.
• For stronger isolation: PyPy Sandbox or Docker containers provide more security.
• For fine-grained control: CodeJail offers advanced capabilities like limiting CPU time and memory usage.

Generative AI is experimental.
@mdancho84 mdancho84 self-assigned this Jan 12, 2025
@mdancho84 mdancho84 added the enhancement New feature or request label Jan 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mdancho84 mdancho84

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mdancho84