zrw•8mo ago

subhosting to run user scripts

I want to allow users to run arbitrary scripts, but they don't need to be available as endpoints, so they don't need Deno.serve(() => { .. etc. }; ... Is there a way to allow users (a la subhosting) to upload a simple script like return 4+5 and get a response with the return value and console logs?

5 Replies

Deno AI Helper•8mo ago

I wasn't able to find the answer to your question in the official Deno documentation. However, based on your message, it seems like you're looking for a way to execute user-provided scripts and capture their output. While I can't provide a solution directly from the Deno documentation, I can suggest a general approach that you might consider. You could use the Deno.run API to spawn a subprocess that executes a user script and captures its output. However, please note that running arbitrary user scripts can be very dangerous as it may lead to security vulnerabilities, such as arbitrary code execution. You should ensure that the environment in which these scripts run is properly sandboxed and that you have implemented adequate security measures. Here's a very basic example of how you might execute a script and capture its output. This advice is not based on the Deno documentation, so please double-check the accuracy and safety of this approach:

const decoder = new TextDecoder("utf-8");

const process = Deno.run({
  cmd: ["deno", "eval", "console.log(4+5)"],
  stdout: "piped",
  stderr: "piped",
});

const output = await process.output(); // Captures stdout
const error = await process.stderrOutput(); // Captures stderr

process.close(); // Don't forget to close the process

console.log(decoder.decode(output)); // Should print "9"
console.log(decoder.decode(error)); // Should print any console errors

const decoder = new TextDecoder("utf-8");

const process = Deno.run({
  cmd: ["deno", "eval", "console.log(4+5)"],
  stdout: "piped",
  stderr: "piped",
});

const output = await process.output(); // Captures stdout
const error = await process.stderrOutput(); // Captures stderr

process.close(); // Don't forget to close the process

console.log(decoder.decode(output)); // Should print "9"
console.log(decoder.decode(error)); // Should print any console errors

Remember, this is a very simplistic example and doesn't include any security measures. You would need to ensure that the user scripts are run in a secure manner, possibly by using Deno's permission flags to restrict what the scripts can do, and by sanitizing the code to prevent malicious actions. Please proceed with caution and consider all security

Deno AI Helper•8mo ago

implications when running user-provided scripts.

Helpful Links: Deno Subhosting: the easiest and most secure way to run untrusted multi-tenant code Deno Subhosting | Deno About Subhosting | Deno Docs Deno 1.0

dmio_co•8mo ago

"It all depends". There is always a way, and you can do it in multiple ways. The most secure way would be to use subhosting. https://docs.deno.com/deploy/manual/subhosting/#quick-start-example if you check this - in step 3 you're providing user code. Then you can always run a fetch command to initiate it. This way you'll get your code running in isolates and it would be safe.

About Subhosting | Deno Docs

A powerful use case for Deno Deploy is using our isolate cloud to run untrusted

dmio_co•8mo ago

Second option would be a Playground https://docs.deno.com/deploy/manual/playgrounds - but AFAIK, there is no API to automate them

Playgrounds | Deno Docs

Playgrounds are an easy way to play around with Deno Deploy, and to create

dmio_co•8mo ago

Last one, that might seem easiest, but I am strongly against - would be just to eval somehow the user code and run it. I'm not even checking this possibility, as it brings lots of problems like permissions, access to shared resources etc. So pls don't do it.