Skip to content

marcelo-schreiber/run-user-code-SaaS

Repository files navigation

API For Code Execution

MIT License GitHub Workflow Status

This is an API for running code in different languages, such as Python, Javascript and Ruby. It uses Docker to run the code in a safe environment, avoiding vulnerabilities and security breaches.

Table of Contents

Getting Started

Pre requisites

Make sure you have Docker e Node.js Installed.

Installation

In the project folder, install all dependencies:

  npm install

Pull the docker images, make sure your docker cli works without sudo:

  npm run pull-images

Start the server in development mode, every change in the code will restart the server:

  npm run dev

Run with docker

In the project folder, install all dependencies:

  npm install

Pull the docker images, make sure your docker CLI works without sudo:

  npm run pull-images

Create a docker image:

  docker build -t code-exec .

Run the docker image:

  docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock --name code-exec code-exec

Run in production

Follow the installation steps, then run the following command instead of npm run dev:

  npm start

Testing

To run the tests, run the following command:

  npm test

Make sure you have installed all dependencies before running the tests.

API Reference

Returns python code output

  POST /run/python
Paramter Type Description
code string Mandatory.
input string Optional. stdin separated by \n

Returns javacript code output

  POST /run/javascript
Paramter Type Description
code string Mandatory.

Returns ruby code output

  POST /run/ruby
Paramter Type Description
code string Mandatory.
input string Optional. stdin separated by \n

Why Docker? What could go wrong?

With the intention of running the user's code safely, it is understood that the user will not be able to have any interaction with the data and files on the server. In this sense, to avoid a vulnerability such as:

import os
os.system('shutdown -f') # shutdown the server

or

while (true) {} // infinite loop

or

File.delete('important_file.txt') # delete a file

With each user request, a container is created (similar to a virtual machine) which closes at the end of the program execution or after 3 seconds, avoiding infinite loops.

Other possible vulnerabilities such as file installation or container exits are escaped by limiting RAM memory and processing. Also, It removes privileges, network and disk writes (even within the container). In this way, a large part of the weaknesses are removed, especially in conjunction with a rate limiter (by IP, by Path, etc), load balancer, a queue system such that the server can run more than one container at a time and other security measures.

Inspirations and References

Technologies

Feedback

If you have any feedback, please reach out at marcelorissette15@gmail.com