This is an API for running code in different languages, such as Python, Javascript and Ruby. It uses Docker to run the code in a safe environment, avoiding vulnerabilities and security breaches.
- Getting Started
- Testing
- API Reference
- Why Docker? What could go wrong?
- Inspirations and References
- Technologies
- Feedback
Make sure you have Docker e Node.js Installed.
In the project folder, install all dependencies:
npm install
Pull the docker images, make sure your docker cli works without sudo:
npm run pull-images
Start the server in development mode, every change in the code will restart the server:
npm run dev
In the project folder, install all dependencies:
npm install
Pull the docker images, make sure your docker CLI works without sudo:
npm run pull-images
Create a docker image:
docker build -t code-exec .
Run the docker image:
docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock --name code-exec code-exec
Follow the installation steps, then run the following command instead of npm run dev
:
npm start
To run the tests, run the following command:
npm test
Make sure you have installed all dependencies before running the tests.
POST /run/python
Paramter | Type | Description |
---|---|---|
code |
string |
Mandatory. |
input |
string |
Optional. stdin separated by \n |
POST /run/javascript
Paramter | Type | Description |
---|---|---|
code |
string |
Mandatory. |
POST /run/ruby
Paramter | Type | Description |
---|---|---|
code |
string |
Mandatory. |
input |
string |
Optional. stdin separated by \n |
With the intention of running the user's code safely, it is understood that the user will not be able to have any interaction with the data and files on the server. In this sense, to avoid a vulnerability such as:
import os
os.system('shutdown -f') # shutdown the server
or
while (true) {} // infinite loop
or
File.delete('important_file.txt') # delete a file
With each user request, a container is created (similar to a virtual machine) which closes at the end of the program execution or after 3 seconds, avoiding infinite loops.
Other possible vulnerabilities such as file installation or container exits are escaped by limiting RAM memory and processing. Also, It removes privileges, network and disk writes (even within the container). In this way, a large part of the weaknesses are removed, especially in conjunction with a rate limiter (by IP, by Path, etc), load balancer, a queue system such that the server can run more than one container at a time and other security measures.
If you have any feedback, please reach out at marcelorissette15@gmail.com