WingNews logo WingNews
top | item 46761975

(no title)

jy-tan | 1 month ago

Yes, Fence is designed for exactly this, the built-in `code` template already allowlists npm and PyPI registries:

``` fence -t code pip install requests fence -t code npm install express ```

This restricts writes to workspace + cache dirs, blocks reading credentials, limits network to allowlisted domains, and blocks dangerous commands (`rm -rf`, `npm publish`, etc).

discuss

order

vivzkestrel|1 month ago

thank you for the response,

- how would you go about deploying this on an aws ecosystem? ec2 server? lambda? fargate?

- basically i want to run untrusted user code for many programming languages inside a sandbox and i am looking for solutions to do so

- need to be able to install libraries from pip, npm, cargo , just about any programming language's package manager

jy-tan|1 month ago

You can just install Fence in your deployed service (see the installation instructions in the README), then wrap the user command/script with `fence -t code <command>`. It will probably work fine in an EC2 instance but I'm not very sure about Fargate/ECS/Lambda.

The `code` template already allowlists npm, PyPI, crates.io, and Go modules, easy to extend for others by adding to allowedDomains in your config.