Letting users upload Python scripts for execution

Question

I understand that letting any anonymous user upload any sort of file in general can be dangerous, especially if it's code. However, I have an idea to let users upload custom AI scripts to my website. I would provide the template so that the user could compete with other AI's in an online web game I wrote in Python. I either need a solution to ensure a user couldn't compromise any other files or inject malicious code via their uploaded script or a solution for client-side execution of the game. Any suggestions? (I'm looking for a solution that will work with my Python scripts)

Answer 1

I am in no way associated with this site and I'm only linking it because it tries to achieve what you are getting after: jailing of python. The site is code pad.

According to the about page it is ran under geordi and traps all sys calls with ptrace. In addition to be chroot'ed they are on a virtual machine with firewalls in place to disallow outbound connections.

Consider it a starting point but I do have to chime in on the whole danger thing. Gotta CYA myself. :)

Answer 2

Using PyPy you can create a python sandbox. The sandbox is a separate and supposedly secure python environment where you can execute their scripts. More info here

http://codespeak.net/pypy/dist/pypy/doc/sandbox.html

"In theory it's impossible to do anything bad or read a random file on the machine from this prompt."

"This is safe to do even if script.py comes from some random untrusted source, e.g. if it is done by an HTTP server."