Comment by jy-tan
1 month ago
Yes, Fence is designed for exactly this, the built-in `code` template already allowlists npm and PyPI registries:
``` fence -t code pip install requests fence -t code npm install express ```
This restricts writes to workspace + cache dirs, blocks reading credentials, limits network to allowlisted domains, and blocks dangerous commands (`rm -rf`, `npm publish`, etc).
thank you for the response,
- how would you go about deploying this on an aws ecosystem? ec2 server? lambda? fargate?
- basically i want to run untrusted user code for many programming languages inside a sandbox and i am looking for solutions to do so
- need to be able to install libraries from pip, npm, cargo , just about any programming language's package manager
You can just install Fence in your deployed service (see the installation instructions in the README), then wrap the user command/script with `fence -t code <command>`. It will probably work fine in an EC2 instance but I'm not very sure about Fargate/ECS/Lambda.
The `code` template already allowlists npm, PyPI, crates.io, and Go modules, easy to extend for others by adding to allowedDomains in your config.