securely executing untrusted python code on server

Question

I have a server and a front end, I would like to get python code from the user in the front end and execute it securely on the backend.

I read this article explaining the problematic aspect of each approach - eg pypl sandbox, docker etc.

I can define the input the code needs, and the output, and can put all of them in a directory, what's important to me is that this code should not be able to hurt my filesystem, and create a disk, memory, cpu overflow (I need to be able to set timeouts, and prevent it from accesing files that are not devoted to it)

What is the best practice here? Docker? Kubernetes? Is there a python module for that?

Thanks.

assuming running on linux, how about a mix of `chroot`, `cpulimit`, etc.? — Eric Wong, Feb 08 '19 at 16:00
I did not try that, could you post an answer explaining the usage and why it works? — thebeancounter, Feb 10 '19 at 07:31
i have not used those either :'D i only know there existed some command would be useful for your case, and found their command name only... — Eric Wong, Feb 10 '19 at 11:22

score 0 · Answer 1 · answered Jun 18 '19 at 12:35

You can have a python docker container with the volume mount. Volume mount will be the directory in local system for code which will be available in your docker container also. By doing this you have isolated user supplied code only to the container when it runs. Scan your python container with CIS benchmark for better security

securely executing untrusted python code on server

1 Answers1