It is a great pleasure that my 4 hour hack last night lets me now introduce: Sunaba the perl sandbox environment to run any PSGI/Plack applications.
The hardest part to implement that is to create a sandbox perl runtime environment, and fortunately Dan Kogai did the hardest part already. Like an year ago he created this lleval API which runs your code in a sandbox (chroot + FreeBSD ptrace) and Shibuya.pm folks tried to jailbreak it, with some interesting results. You can read the slides how he implemented this sandbox.
I wouldn't say this is completely secure, but it works pretty well - you can't open local files, run arbitrary XS code nor system("rm -fr /"). while(1) would be killed in 1 second timeout. Meanwhile there are some popular modules besides core modules installed such as LWP, YAML and JSON.
My Sunaba application is just a web frontend with Tatsumaki + Twiggy + SQLite, that basically allows you to create and edit applications on the browser, as well as a runner PSGI application that serializes the current PSGI $env and sends it into Dan's box to get the response back.
All the service restrictions apply, and NO WARRANTY. But it's a good playground to toy with the PSGI interface. Well, Sunaba means "sandbox" in Japanese so you can play and make your hands dirty :)
I can think of more enhancements to this, such as minimal/tiny framework support (i wonder what's the source code size limit of Dan's service - maybe 8K or something?) and the ability to install middleware components etc. etc. Also, for now Kogai-san's server is the best I can think of, but theoretically we can run the apps on other sandbox environments such as CodePad or Ideone. The only difference is that Kogai-san is my friend and it's less likely to be banned for the excessive use :)
Frequently Asked Questions
- Is there a limit for the code size? - Sunaba doesn't have any limit on the code size at this moment but the backend server appears to limit the source code size up to something like 4K.
- How do you determine who can edit the application? - It's currently based on your IP address and User-Agent string. Yes, it's not a very good authentication.
- Are the application URLs permanent? - No, I plan to clean up applications periodically. It's a sandbox after all, you know :)