Show HN: Sandboxing untrusted code using WebAssembly

75 points · mavdol04 · 1 day ago

Hi everyone,

I built a runtime to isolate untrusted code using wasm sandboxes.

Basically, it protects your host system from problems that untrusted code can cause. We’ve had a great discussion about sandboxing in Python lately that elaborates a bit more on the problem [1]. In TypeScript, wasm integration is even more natural thanks to the close proximity between both ecosystems.

The core is built in Rust. On top of that, I use WASI 0.2 via wasmtime and the component model, along with custom SDKs that keep things as idiomatic as possible.

For example, in Python we have a simple decorator:

  from capsule import task

  @task(
      name="analyze_data", 
      compute="MEDIUM",
      ram="512mb",
      allowed_files=["./authorized-folder/"],
      timeout="30s", 
      max_retries=1
  )
  def analyze_data(dataset: list) -> dict:
      """Process data in an isolated, resource-controlled environment."""
      # Your code runs safely in a Wasm sandbox
      return {"processed": len(dataset), "status": "complete"}

And in TypeScript we have a wrapper:

  import { task } from "@capsule-run/sdk"

  export const analyze = task({
      name: "analyzeData", 
      compute: "MEDIUM", 
      ram: "512mb",
      allowedFiles: ["./authorized-folder/"],
      timeout: 30000, 
      maxRetries: 1
  }, (dataset: number[]) => {
      return {processed: dataset.length, status: "complete"}
  });

You can set CPU (with compute), memory, filesystem access, and retries to keep precise control over your tasks.

It's still quite early, but I'd love feedback. I’ll be around to answer questions.

GitHub: https://github.com/mavdol/capsule

[1] https://news.ycombinator.com/item?id=46500510

csense1 day ago
I had to do some research to figure out what this is actually doing. When you try to pass e.g. strings through WASM functions you end up writing the data to memory and passing offset / length, which is obviously inconvenient and potentially has security implications. WASM components [1] is a spec that tries to improve on this with an IDL called WIT that lets you define functions that pass complex types with a proper ABI.
This all seems sensible for languages like C or Zig that neatly cross compile to WASM. But I was very confused how this could ever work with a duck-typed interpreted language like Python, so I did some digging.
Apparently "run your Python as WASM" part is implemented by componentize-py which cross compiles CPython to WASM as libpython3.14.so [2].
I'm not sure whether I should be impressed or horrified...
[1] https://component-model.bytecodealliance.org/
[2] https://github.com/bytecodealliance/componentize-py/blob/79e...
yohguy1 day ago
It looks really promising but I would love more examples as to how to actually use this with AI agents. Reading the homepage it is not clear if we are meant to have the Agent spun up and act fully in the sandbox (something like the HTTP example) or do we take the result code message from an AI agent and then run it dynamically (with eval?).
That being said this is useful even if it wasn't for the running AI agent code aspect, being able to limit ram and cpu usage and time outs makes it easier to run coding based games/applications safely (like battle snakes and Leetcode)
Asmod4n1 day ago
Mruby has something like that build in, you can create a VM which only has basic data types and control flow, no i/o, rng, time, meta programming or any host access possible simply because most functionality is only available as gems and they simply aren’t loaded. Everything you can do with it should be fully deterministic.
koolala1 day ago
It seems import to highlight these more. Aren't all the limitations of using this based around their limitations?
componentize-py – Python to WebAssembly Component compilation
+
jco – JavaScript toolchain for WebAssembly Components
I'm curious how Wasi 0.3 cross language components will go for something like this.
gregpr071 day ago
Why go this route? Why Python is more powerful than JS is mostly because of third party plugins like pandas which are excplicitly not supported (C bindings, is this possible to fix?)...
At that point it might be just easier to convince the model to write JS directly
bigblind1 day ago
This looks very neat indeed! Are there any plans to adding network limits? Like, you might want to avoid an agent running code that just requests a resource in a loop, or downloads massive amounts of data.
skybrian1 day ago
If it's a coding agent, it will need to be able to write scripts and run them. I haven't tried just-bash, but it seems interesting for comparison:
https://github.com/vercel-labs/just-bash
simonw1 day ago
The decorator syntax is neat but confusing to me - I would need to understand exactly what it's doing in order to trust it.
I'd find this a lot easier to trust it if had the Python code that runs in WASM as an entirely separate Python file, then it would be very clear to me which bits of code run in WASM.

Loading comments...

news.ycombinator.com/item?id=46871387

csense1 day ago
I had to do some research to figure out what this is actually doing. When you try to pass e.g. strings through WASM functions you end up writing the data to memory and passing offset / length, which is obviously inconvenient and potentially has security implications. WASM components [1] is a spec that tries to improve on this with an IDL called WIT that lets you define functions that pass complex types with a proper ABI.
This all seems sensible for languages like C or Zig that neatly cross compile to WASM. But I was very confused how this could ever work with a duck-typed interpreted language like Python, so I did some digging.
Apparently "run your Python as WASM" part is implemented by componentize-py which cross compiles CPython to WASM as libpython3.14.so [2].
I'm not sure whether I should be impressed or horrified...
[1] https://component-model.bytecodealliance.org/
[2] https://github.com/bytecodealliance/componentize-py/blob/79e...
yohguy1 day ago
It looks really promising but I would love more examples as to how to actually use this with AI agents. Reading the homepage it is not clear if we are meant to have the Agent spun up and act fully in the sandbox (something like the HTTP example) or do we take the result code message from an AI agent and then run it dynamically (with eval?).
That being said this is useful even if it wasn't for the running AI agent code aspect, being able to limit ram and cpu usage and time outs makes it easier to run coding based games/applications safely (like battle snakes and Leetcode)
Asmod4n1 day ago
Mruby has something like that build in, you can create a VM which only has basic data types and control flow, no i/o, rng, time, meta programming or any host access possible simply because most functionality is only available as gems and they simply aren’t loaded. Everything you can do with it should be fully deterministic.
koolala1 day ago
It seems import to highlight these more. Aren't all the limitations of using this based around their limitations?
componentize-py – Python to WebAssembly Component compilation
+
jco – JavaScript toolchain for WebAssembly Components
I'm curious how Wasi 0.3 cross language components will go for something like this.
gregpr071 day ago
Why go this route? Why Python is more powerful than JS is mostly because of third party plugins like pandas which are excplicitly not supported (C bindings, is this possible to fix?)...
At that point it might be just easier to convince the model to write JS directly
bigblind1 day ago
This looks very neat indeed! Are there any plans to adding network limits? Like, you might want to avoid an agent running code that just requests a resource in a loop, or downloads massive amounts of data.
skybrian1 day ago
If it's a coding agent, it will need to be able to write scripts and run them. I haven't tried just-bash, but it seems interesting for comparison:
https://github.com/vercel-labs/just-bash
simonw1 day ago
The decorator syntax is neat but confusing to me - I would need to understand exactly what it's doing in order to trust it.
I'd find this a lot easier to trust it if had the Python code that runs in WASM as an entirely separate Python file, then it would be very clear to me which bits of code run in WASM.