HLBox runs untrusted code in secure Docker based sandboxes (forked from [EpicBox](https://github.com/StepicOrg/epicbox))
A Python library to run untrusted code in secure, isolated Docker based sandboxes.
It allows to spawn a process inside one-time Docker container, send data to stdin, and obtain its exit code and stdout/stderr output. It's very similar to what the
subprocessmodule does but additionally you can specify a custom environment for the process (a Docker image) and limit the CPU, memory, disk, and network usage for the running process.
Usage
Run a simple Python script in a one-time Docker container using the
python:3.6.5-alpineimage:import epicbox
epicbox.configure( profiles=[ epicbox.Profile('python', 'python:3.6.5-alpine') ] ) files = [{'name': 'main.py', 'content': b'print(42)'}] limits = {'cputime': 1, 'memory': 64} result = epicbox.run('python', 'python3 main.py', files=files, limits=limits)
The `result` value is: ```python {'exit_code': 0, 'stdout': b'42\n', 'stderr': b'', 'duration': 0.143358, 'timeout': False, 'oom_killed': False}
Advanced usage
A more advanced usage example of
epicboxis to compile a C++ program and then run it multiple times on different input data. In this exampleepicboxwill run containers on a dedicated Docker Swarm cluster instead of locally installed Docker engine:import epicbox
PROFILES = { 'gcc_compile': { 'docker_image': 'stepik/epicbox-gcc:6.3.0', 'user': 'root', }, 'gcc_run': { 'docker_image': 'stepik/epicbox-gcc:6.3.0', # It's safer to run untrusted code as a non-root user (even in a container) 'user': 'sandbox', 'read_only': True, 'network_disabled': False, }, } epicbox.configure(profiles=PROFILES, docker_url='tcp://1.2.3.4:2375')
untrusted_code = b""" // C++ program #include
int main() { int a, b; std::cin >> a >> b; std::cout << a + b << std::endl; } """
A working directory allows to preserve files created in a one-time container
and access them from another one. Internally it is a temporary Docker volume.
with epicbox.working_directory() as workdir: epicbox.run('gcc_compile', 'g++ -pipe -O2 -static -o main main.cpp', files=[{'name': 'main.cpp', 'content': untrusted_code}], workdir=workdir) epicbox.run('gcc_run', './main', stdin='2 2', limits={'cputime': 1, 'memory': 64}, workdir=workdir) # {'exit_code': 0, 'stdout': b'4\n', 'stderr': b'', 'duration': 0.095318, 'timeout': False, 'oom_killed': False} epicbox.run('gcc_run', './main', stdin='14 5', limits={'cputime': 1, 'memory': 64}, workdir=workdir) # {'exit_code': 0, 'stdout': b'19\n', 'stderr': b'', 'duration': 0.10285, 'timeout': False, 'oom_killed': False}
Installation
epicboxcan be installed by runningpip install epicbox. It's tested on Python 3.4+ and Docker 1.12+.
You can also check the epicbox-images repository that contains Docker images used to automatically grade programming assignments on Stepik.org.
Contributing
Contributions are welcome, and they are greatly appreciated! More details can be found in CONTRIBUTING.
FAQs
HLBox runs untrusted code in secure Docker based sandboxes (forked from [EpicBox](https://github.com/StepicOrg/epicbox))
We found that hlbox demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Browserslist-rs now uses static data to reduce binary size by over 1MB, improving memory use and performance for Rust-based frontend tools.
Research
Security News
Eight new malicious Firefox extensions impersonate games, steal OAuth tokens, hijack sessions, and exploit browser permissions to spy on users.
Security News
The official Go SDK for the Model Context Protocol is in development, with a stable, production-ready release expected by August 2025.
