Secure Way to Run Other People Code (Sandbox) on My Server

Secure way to run other people code (sandbox) on my server?

Running under unprivileged user still allows a local attacker to exploit vulnerabilities to elevate privileges.
Allowing to execute code in a VM can be insecure as well; the attacker can gain access to host system, as recent VMWare vulnerability report has shown.

In my opinion, allowing running native code on your system in the first place is not a good idea from security point of view. Maybe you should reconsider allowing them to run native code, this will certainly reduce the risk.

How can I run untrusted code on behalf of third parties?

Wait you all.

There is no reason for @sanity to look for 3rd party solutions, because Java already has a policy mechanism which allows untrusted code to access only a given subset of the Java API. See package java.security and SecurityManager. It allows you to say the JVM, "this app must have permission to access this stuff but not this other one".

But I think @sanity wants to grant a given permission to run untrusted code, without allowing it to do harmful things with that permission...

How to run user-submitted scripts securely in a node.js sandbox?

You should always run untrusted code in a separate process, which is exactly what the sandbox module does. A simple reason is that vm.runInNewContext('while(true){}', {}) will freeze node.

It starts by spawning a separate process, which will later send the result serialized to JSON on its stdout. The parent process continues executing regardless of what the child does and can trigger a timeout.

The untrusted code is then wrapped in a closure with strict mode (in regular JavaScript, you can use arguments.callee.caller to access data outside of your scope). Finally, a very limited global object is passed to prevent access to node's API. The untrusted code can only do basic computation and has no access to files or sockets.

While you should read sandbox's code as an inspiration, I wouldn't recommend using it as is:

The code is getting old and hasn't been updated for 7 months.
The Child Process module in node already provides most of the features you need, especially child_process.fork().
The IPC channel provided by child_process.fork probably has better performances.

For increased security, you could also consider using setuid-sandbox. It's the code used by Google Chrome to prevent tab processes from accessing the file system. You would have to make a native module, but this example seems straightforward.

Safely sandbox and execute user submitted JavaScript?

This answer is outdated as gf3 does not provide protection against sandbox breaking

http://gf3.github.io/sandbox/ - it uses require('child_process') instead of require('vm').

Is there any way to sandbox some javascript so that it can not in any way send data to a server

You can't cut off any native transport for script.

For example, Worker has access only to one native transport XMLHttpRequest(because no access to document -> no node with src, link, forms ) and you can redefine it ie window.XMLHttpRequest = function () {return 1} and script can't send data to server.

But just run delete window.XMLHttpRequest and you will set back native XMLHttpRequest. It works fine and in strict mode (ECMAScript-262 ed. 5/6)

(function () {

'use strict';

window.XMLHttpRequest = function () {return 1};

console.log(window.XMLHttpRequest);

delete window.XMLHttpRequest;

console.log(window.XMLHttpRequest);

})()

About HTML5 iframe options. If you use sandbox="allow-scripts allow-same-origin allow-pointer-lock" any script from iframe can't send cross-domain requests(XMLHttpRequest,postMessage,WebSocket, WebRTC, Server-Sent Events...any). If you need to denied cross-domain request - that is it.

Sandboxing in Linux

Along with the other sugestions you might find this useful.

http://www.eelis.net/geordi/

This is from http://codepad.org/about, codepad.org's about page.

Sandbox Java code before compiling?

Java has some sandboxing mechanisms, but those have such a poor security track record that many recommend turning off Java in the browser entirely.

You could try sandboxing a VM inside it's own virtual OS with reduced privileges.

Alternatively, you could require the code to be run in a language like
Joe-E that is designed to allow Java programs to execute untrusted code.

Joe-E is a subset of Java that makes it easier to architect and implement programs with strong security properties that can be checked during a security review. It enables programmers to apply the principle of least privilege to their programs; implement application-specific reference monitors that cannot be bypassed; introduce and use domain-specific security abstractions; safely execute and interact with untrusted code; and build secure, extensible systems. Joe-E demonstrates how it is possible to achieve the strong security properties of an object-capability language while retaining the features and feel of a mainstream object-oriented language.

The degree to which Joe-E's designers had to depart from standard Java should give you an idea of how big a task it is to prevent untrusted Java code from abusing the ambient authority available from within a JVM.

While some of these approaches may protect you from abuse of authority (especially if layered together), none will prevent denial of service. If you're trying to run other people's code alongside your code, and it decides to try to take all the CPU and never give it back, your only option is often to kill the whole process.

Secure Way to Run Other People Code (Sandbox) on My Server