Skip to content
/ wasm_exec Public

WASM-powered sandbox implementation of exec() for safely running dynamic Python code

License

MIT license
32 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Jflick58/wasm_exec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

88 Commits
.github
.github
 
 
tests
tests
 
 
wasm_exec
wasm_exec
 
 
wasm_runtime
wasm_runtime
 
 
.flake8
.flake8
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

wasm_exec

Wasm-powered, sandboxed implementation of exec() for safely running dynamic Python code

lint test License: MIT

Install

pip install wasm_exec

Usage

from wasm_exec import WasmExecutor

wasm = WasmExecutor()
code = "print('Hello World!')"
print(wasm.exec(code).text)

>> Hello World!

How does this work?

  • Arbitrary Python code is passed to the wasm_exec function
  • A separate Wasm-based Python interpreter is setup via wasmtime in a chroot jail
  • The arbitrary code is executed safely inside your isolated interpreter

Why?

There are number of use-cases emerging that require arbitrary code execution, often code that is generate by LLMs (Large Language Models) like ChatGPT. This can enable some really cool functionality - like generative BI or website generation - but also introduce a massive security flaw if implemented via eval() or exec(). This is because arbitrary code can be executed using these methods. In a worst case scenario, exec'ing arbitrary code could enable some to rm -rf / your entire server!

This repo intends to provide a secure method of executing arbitrary Python code to empower LLM-based code generation. This was originally intended to be a direct PR to Langchain but given that the problems with exec() extend to the entire Python ecosystem, it was decided that it would be better as a standalone package.

Prove it.

I understand any claims of being able to securely execute arbitrary code strings (rightfully) raises some eyebrows. Because of that, I've included a set of security-focused tests that attempt to use some common escape patterns to attempt to escape the jailed Wasm Python interpreter, including running the rm -rf / test on my own personal desktop.

I strongly welcome any attempts to break the interpreter containment and/or security improvements to the code!

Implementation Notes

  • I do not claim the jailed Wasm Python interpreter as my original idea. This was inspired by Simon Willison's Blog on this topic and the linked code provided by Tim Bart
  • The Wasm Python runtime is redistributed from VMWare Wasm Labs' offering of a Python Wasm runtime
  • Shout0out to Langchain as a source for Github workflows
  • Because it is a separate interpreter, there are currently some limitations on imports. I am working to test and document these limitations.

Contributing

Contributions VERY welcome! See here.

About

WASM-powered sandbox implementation of exec() for safely running dynamic Python code

Resources

Readme

License

MIT license
Activity

Stars

32 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases 10

v0.1.9 Latest
Jan 24, 2024
+ 9 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages