Fork me on GitHub
#off-topic
<
2023-08-20
>
chico03:08:31

I've been try to build a small clone of leetcode for clojure (side project) and i'm trying to think how I would run a isolate code in clojure. is there any lib that i can run sandbox my code? I'm receiving as string and i would like to run in a control environment where i can check the memory usage and stop if it reach the max, same for timeout if pass the execution time. Is there any recommendation how would you solve this problem?

chico03:08:11

this is just to learn more about clojure..

Cora (she/her)04:08:52

cljdoc runs in circle ci vms

Rupert (All Street)07:08:02

• For security: ◦ Clojure code has lots of ways to escape controls that you put on it and can't be locked down easily (e.g. just preventing a user from calling eval or read-string is not enough to stop them escaping a sandbox or bypassing your limits (like timeouts). They can do also sorts of things (e.g. start millions of futures or allocate a 4 GB string (str (range Long/MAX_VALUE)) or call System/exit to kill the whole JVM). Therefore I would do either or both of these: ▪︎ Use a simpler version of Clojure that you can control/patch e.g. don't use JVM Clojure - use sci or clojurescript etc instead with modifications • Note Docker containers are not safe by default - you need to take steps to harden them. ▪︎ Run untrsusted code in an isolated place (no access to your disk or memory or root etc) use a Virtual Machine or docker container or AWS lambda etc • Think about the attack vectors ◦ Degrading the service for other users (e.g. hogging all memory, CPU, network etc) ◦ Stealing or modifying code/files/secrets on the box that hosts it. ◦ Crypto mining ◦ Running DDos attacks from your IP address. ◦ etc • Timeouts ◦ Since the untrusted code is now running outside your process (e..g inside of Docker Container in its own JVM) - you can simply kill that external process when time is up. • Memory usage ◦ For JVM java you set an -Xmx value to control the memory (you can also control the memory of the isonlated process e.g. Virtual Machine, Docker Container or AWS Lambda.

❤️ 4
Alejandro Buffery05:08:54

hopefully this draws more people to know about clojure and peek interest https://www.youtube.com/watch?v=GcJgGy-dfvE

👍 10
p-himik11:08:13

It's already been posted in #C8NUSGWG6.