Research on security

[mjenrungrot]

Major security concerns for online compilers/interpreters are malicious codes submitted from users. In the current system, the code is evaluated on the server-side. From the server perspective, the server may happen to run the potentially malicious code. Some potential problems may arise, at least but not limited to:

• DDoS attack to exhaust the server's resources.
• Manipulate file structures using os module

There are two main ways of addressing this security concern: running code on client-side and on server-side.

1. Client-side
   In short, we can execute everything client-side using JavaScript, and possibly use tools like Brython that essentially converts Python script to JavaScript and in order for it to be executed on the client-side.

Keypoints

• Not work with some of the libraries.
• Depend on specific versions of library.
• Tend to be 3 to 5 times slower.

2. Server-side
   2.1 Use Sandbox
   General ideas are to use the concept of sandboxing that lets the potentially malicious code in that sandbox. See more discussion here. In Python, we have some discussions here.
   2.2 Use RestrictedPython
   RestrictedPython 4.0b2 is a defined subset of the Python language which allows to provide a program input into a trusted environment.

Keypoints

• Faster
• Not depend on specific versions of library.

Thoughts on this issue are very appreciated.

[mjenrungrot]

http://doc.pypy.org/en/latest/sandbox.html

[jcruz]

• Running untrusted python code
• Safely executing arbitrary code
• Best practices for execution of untrusted code

[jcruz]

https://docs.docker.com/engine/security/security/

[jcruz]

We are prioritizing performance, so closing this for now.