zrw
zrw7mo ago

subhosting to run user scripts

I want to allow users to run arbitrary scripts, but they don't need to be available as endpoints, so they don't need Deno.serve(() => { .. etc. }; ... Is there a way to allow users (a la subhosting) to upload a simple script like return 4+5 and get a response with the return value and console logs?
5 Replies
Deno AI Helper
Deno AI Helper7mo ago
I wasn't able to find the answer to your question in the official Deno documentation. However, based on your message, it seems like you're looking for a way to execute user-provided scripts and capture their output. While I can't provide a solution directly from the Deno documentation, I can suggest a general approach that you might consider. You could use the Deno.run API to spawn a subprocess that executes a user script and captures its output. However, please note that running arbitrary user scripts can be very dangerous as it may lead to security vulnerabilities, such as arbitrary code execution. You should ensure that the environment in which these scripts run is properly sandboxed and that you have implemented adequate security measures. Here's a very basic example of how you might execute a script and capture its output. This advice is not based on the Deno documentation, so please double-check the accuracy and safety of this approach:
const decoder = new TextDecoder("utf-8");

const process = Deno.run({
cmd: ["deno", "eval", "console.log(4+5)"],
stdout: "piped",
stderr: "piped",
});

const output = await process.output(); // Captures stdout
const error = await process.stderrOutput(); // Captures stderr

process.close(); // Don't forget to close the process

console.log(decoder.decode(output)); // Should print "9"
console.log(decoder.decode(error)); // Should print any console errors
const decoder = new TextDecoder("utf-8");

const process = Deno.run({
cmd: ["deno", "eval", "console.log(4+5)"],
stdout: "piped",
stderr: "piped",
});

const output = await process.output(); // Captures stdout
const error = await process.stderrOutput(); // Captures stderr

process.close(); // Don't forget to close the process

console.log(decoder.decode(output)); // Should print "9"
console.log(decoder.decode(error)); // Should print any console errors
Remember, this is a very simplistic example and doesn't include any security measures. You would need to ensure that the user scripts are run in a secure manner, possibly by using Deno's permission flags to restrict what the scripts can do, and by sanitizing the code to prevent malicious actions. Please proceed with caution and consider all security
dmio_co
dmio_co7mo ago
"It all depends". There is always a way, and you can do it in multiple ways. The most secure way would be to use subhosting. https://docs.deno.com/deploy/manual/subhosting/#quick-start-example if you check this - in step 3 you're providing user code. Then you can always run a fetch command to initiate it. This way you'll get your code running in isolates and it would be safe.
About Subhosting | Deno Docs
A powerful use case for Deno Deploy is using our isolate cloud to run untrusted
dmio_co
dmio_co7mo ago
Second option would be a Playground https://docs.deno.com/deploy/manual/playgrounds - but AFAIK, there is no API to automate them
Playgrounds | Deno Docs
Playgrounds are an easy way to play around with Deno Deploy, and to create
dmio_co
dmio_co7mo ago
Last one, that might seem easiest, but I am strongly against - would be just to eval somehow the user code and run it. I'm not even checking this possibility, as it brings lots of problems like permissions, access to shared resources etc. So pls don't do it.