如何制作安全的在线编译器? [英] How to make safe online compiler?

问题描述

我想做一个简单的在线编译器，从浏览器获取代码，将其发送到服务器，进行编译，然后返回浏览器执行的结果.

I would like to do simple online-compiler, that take code from browser, send it to server, compile it, and return to browser result of execution.

恐怕有人会从代码或类似的代码中执行 format C:\ .有什么办法可以防止呢?

I am afraid that someone will be execute format C:\ from code or something like it. Is there any way to prevent it?

P.S.我正在寻找Windows解决方案.

P.S. I am looking Windows solution.

推荐答案

您将需要使用多层操作系统功能.以具有受限访问权限的受限用户身份，在受防火墙保护的虚拟机中运行编译器和生成的程序.

You'll want to use several layers of operating system features. Run the compiler and resulting program in a firewalled virtual machine as a limited user with restricted access to the operating system.

如果一切顺利，VM中的操作系统将阻止他们执行格式化驱动器之类的任何操作.但是，如果没有，并且他们可以让管理员访问它，那么它是可丢弃的VM，并且从外部对其进行了限制，这意味着管理员访问实际上并没有多大用处.您可以简单地重新映像VM，然后重新开始.(实际上，作为一种预防措施，即使一切正常，您也可能希望对其进行成像.)

If all goes well, the OS in the VM will keep them from doing anything like formatting the drive. But if not and they get administrator access to it, the fact that it is a disposable VM with limits placed on it from the outside means the admin access isn't actually worth much. You can simple reimage the VM and start fresh again. (In fact, you might want to image it even when all is normal just as a precaution.)

有了两层保护，您应该很安全.

With the two layers of protection, you should be pretty safe.

现在，在VM中，无论如何我都可能只运行Linux.即使服务器是Windows机器，也可以在VM内安装最小的Linux发行版，并使用 setrlimit 等限制进程内存和cpu时间.但是，如果您也想要Windows，作业对象 https://msdn.microsoft.com/en-us/library/ms684161(VS.85).aspx 达到了类似的资源限制.只需确保运行编译器和程序的用户帐户也对驱动器(在两个操作系统上)都具有严格限制的权限即可.

Now, in the VM, I'd probably just run Linux anyway. Even if the server is a Windows box, inside the VM you can install a minimal linux distro and use setrlimit and such to clamp down on process memory and cpu time. But if you want Windows too, job objects https://msdn.microsoft.com/en-us/library/ms684161(VS.85).aspx achieve similar resource limits. Just make sure your user account running the compiler and program also have severely restricted permissions on the drive too (on either os).

当然，您也可以在没有VM的情况下在主机OS上执行此类操作...但是，如果出现问题，则无法轻易放弃并替换整个操作，并且管理员访问权限可能会绕过您的其他防火墙或cpu限制.我肯定会使用这两层.

Of course, you could also do such things on the host OS without the VM... but then if something goes wrong, you can't so easily ditch and replace the whole thing, and administrator access might bypass your other firewall or cpu restrictions. I would definitely use the two layers.

顺便说一句，尽管有vm层，但别忘了仍然像其他Web表单一样仍然使用适当的XSRF和XSS维护.

BTW, despite the vm layer, don't forget to still use proper XSRF and XSS care too, just like any other web form.

这篇关于如何制作安全的在线编译器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！