Allowing users to execute python code on the server

Question

I know this is technically a duplicate question, but I believe it is valid since the original question was submitted 7 years ago and Python/web security has come a long way since then.

I would like to build a web app that allows users to input python code (through the Ace editor package) and then execute it in the browser using a python interpreter on the server. I cannot use pypy.js because I need to use numpy, pandas, and matplotlib. Essentially I would like to make my own Codecademy (I am a teacher and would like to create Codecademy-like courses for my students). Sadly the create-a-course thing Codecademy mentioned at one point has come to nothing.

I'm using Flask, but I could learn Django if that would be easier.

What is the best way to allow my users to run the python code without allowing them to affect the rest of the program or access files outside of what they're allowed to?

Allowing anyone to execute code is a security risk, even if you trust them. I'd imagine CodeAcademy runs each user in a miniature VM (or something of that sort) so that they can't do any harm to the primary system. — Rushy Panchal, Jun 13 '16 at 00:43
Perhaps you don't need the overhead of a VM if using a process that's isolated from the host system (I guess that's what Rushy was refering to as "something of that sort"), ie. docker instead of VM, eventually with mandatory access control if you don't trust your students. — jpic, Jun 13 '16 at 01:33
If people are already committing themselves to six months or so for taking a class in college and to install a VPN software, surely it's not too much to ask them to install Python in their machine? CodeAcademy type of courses are great as part of massive open online course (MOOC), but is rather a poor fit for actual classroom setting. Most interesting software development problems are too complicated to judge in CodeAcademy type of coding platform. — Lie Ryan, Jun 13 '16 at 02:18
@LieRyan Generally I agree. However, I teach K-12 teachers, so it's a little different. Many of my students have Chromebooks instead of full machines, and their school districts are buying Chromebooks by the pallet. Right now we're just using pythonanywhere, but I thought it might be fun to roll my own. It seems like that's "suicidal," though. — Georgia S, Jun 13 '16 at 02:41

score 1 · Accepted Answer · answered Jun 13 '16 at 01:34

There were no fundamental changes in Python or web security the last 7 years. It is still suicidal to allow users to run code on your server. However, what did change is the availability of lightweight VM solutions like docker. For an example how this could work have a look at https://civisanalytics.com/blog/engineering/2014/08/14/Using-Docker-to-Run-Python/ . I will not reference this solution here as you will found other examples, even if this one goes away.

However, this might be more safe then running user code direct on your server, BUT

the user code is still running on your server. It might be not possible to escape the docker image, but a malicious user could still upload for eg. a denial of service tool and start an attack from your server. Or sniff your network traffic or whatever.
there are or at least might be ways to break out of the docker image.

For a controlled environment like a classroom those risks might be acceptable, but for a public server you would need a lot of security know how to further lock down the server and the docker image and filter available python functionality.

Docker looks like a good solution. Right now the plan is just to run it on my university's network (so the students have to connect the the VPN to access it off campus still). If I ever transfer it to a public server I will try to get grant funding for an actual backend developer... but that's a hypothetical that's very far away. — Georgia S, Jun 13 '16 at 01:38

Allowing users to execute python code on the server

1 Answers1