I am author of growing framework, which is focused around User Interface building in PHP. Essential requirements for the up-coming website redesign is ability to run code examples. I am willing to extend this option to add-on authors which would mean other people will be able to execute code on my server.
Please suggest how to securely set up the environment which would allow me execute 3rd party PHP code built on my framework. I’d like to hear ideas from someone who have had experience with building sandboxed solutions.
2
I don’t have experience in sandboxing environments, but here are my 2 cents:
I worked on Google App Engine, both Java and Python, and GAE have their own sandboxed environment. Speaking of allowing users to run code, pranks/evil users might either try to abuse your server programmatically or can do illegal transactions(via http calls) from your server. I also do not have much knowledge in PHP, so pardon me for any bad assumptions.
Abusing your server:
CPU: They could write a never ending for-loop that just consumes your CPU. They could write code with high CPU usage.
Memory: They could write code creating objects in memory and not freeing them.
What Google does:
- They have a 30 second limit to process the request, after 30 seconds, they kill the thread.
- They mention in TOS that they can take down the app if it is consuming higher CPU. Perhaps they have automated triggers that show apps not using CPU efficiently.
What you could do:
- Limit the code execution time, say 10 or 15 seconds(or even lesser) depending on your use cases.
- As the program runs, record the CPU stats of each program execution(with user name) and flag those users who are running inefficient code frequently and issue a warning/ban them.
- I’m guessing you’d start each user submitted code in a new process, limit the memory of that program, say 32 MB. Choose the number depending on the need.
Illegal network activity:
They could send email/hit servers to scrape data. It is illegal to scrape content of several sites.
If doing HTTP requests is out of scope in your context, figure out a way to disable any HTTP request code. If you NEED to provide this functionality, then I guess you will have to monitor the bandwidth consumed by each user running their programs. Any one using beyond a few KB(since they don’t download media like browsers do) is questionable. I can think of another alternative for this case, which I think is feasible. I will discuss it anyway – The solution requires Javascript: from the submitted code, filter out the HTTP requests, perform the HTTP requests from the code submitter’s browser itself(using JavaScript, of course), once you get the response, submit the code and the response to your server for processing. Eliminates your server out of the external HTTP requests equation. However, you will really need to block network requests from the process on your server side also.
Hope this helps.
PS: For some reason, I believe this question belongs on Stackoverflow. Have your tried there?