-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsandbox_poc.py
More file actions
56 lines (51 loc) · 1.79 KB
/
sandbox_poc.py
File metadata and controls
56 lines (51 loc) · 1.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import subprocess
import tempfile
import os
import sys
def run_sandboxed(code: str, image="python:3.10-slim"):
"""
Executes Python code inside a restricted Docker container.
Blocks network, limits CPU/Memory, and mounts a temporary volume.
"""
print(f"[*] Initializing Sandbox (Image: {image})...")
# Create temp script
with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as script_file:
script_file.write(code)
script_path = script_file.name
# Docker Command: No Network, Read-Only Root, Tmpfs for /tmp, CPU/Mem Limits
cmd = [
"docker", "run", "--rm",
"--network", "none", # No internet access
"--read-only", # Root filesystem read-only
"--tmpfs", "/tmp", # Writable /tmp in memory
"--cpus", "0.5", # Limit CPU
"--memory", "128m", # Limit Memory
"-v", f"{script_path}:/app/script.py:ro", # Mount script read-only
image,
"python", "/app/script.py"
]
print(f"[*] Executing in Isolation...")
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
return {
"stdout": result.stdout,
"stderr": result.stderr,
"exit_code": result.returncode
}
except subprocess.TimeoutExpired:
return {"error": "Execution Timed Out (Possible Infinite Loop)"}
finally:
os.remove(script_path)
if __name__ == "__main__":
sample_code = """
import os
print("Hello from the Sandbox!")
try:
with open('/etc/passwd', 'w') as f:
f.write("hacked")
except OSError as e:
print(f"Write blocked: {e}")
"""
output = run_sandboxed(sample_code)
print("\n--- Sandbox Output ---")
print(output)