Just run it in a separate process with a seccomp sandbox, using pipe/socket IPC with a timeout (if it's some anti-DoS/intrusion thing, just fail allowing the request, since it's going to have false negatives anyway).
The IPC cost should not be significant compared to the rest of the web server code.
Can also ask them to do the work and provide a small open source in-process shim that sets up and talks to the sandboxed process.
That was the intent and solution I had in mind. Appreciate the positive feedback as I might do it myself given all the ridiculously tiny web servers people have made.
My favorite trick I saw was one that replied directly with TCP/IP packets pre-encoded from the HTML. Cool, huh? That could even be done with highly assured tools in safer language as part of CMS or web build system.
The usual process is for your script to do an OAuth flow on an embedded web server with Okta or whatever, and to port forward that embedded server to your client machine. VS code remote handles this pretty well for example.
I’m sure this exists. We have legacy command line scripts that run continuously to support various internal processes.
I’m looking for a web based solution to do the following:
- Start whitelisted processes
- Stop whitelisted processes
- Live output from the processes in the browser while they are running
- Authentication (optional, can hide behind SSH or use client certs if required)
- Audit log (optional, nice to have)
That would be a good first step. It would have to be a subset of CSP. Don't allow inline scripts or eval.. Only on https is another step I see as very important.
Just don’t do it then. Either ship something electron based (or similar) with an embedded browser and IPC communication with the bundled „backend“, or communicate via a trusted server.
Listening on localhost is a security nightmare, also because it is accessible from other user accounts on the same machine. The server probably can do some privileged tasks (otherwise you wouldn’t need it) and could be hijacked by malware.
Google's nsjail (https://github.com/google/nsjail) has a nice "inetd style" mode where it can launch a sandboxed process in response to a TCP connection for similar use cases to this (and is relatively quick to fire up).
I have done something like this. I interfaced with Apache however rather than also writing the web server by hand. I also leveraged libraries when I could.
You may want to investigate the following libraries:
fcgi++: Interface with the web server using fast cgi; keep the program resident in memory between requests.
botan: For generating cryptographic hashes.
cgicc: For handling input from the web browser.
xerces-c: For implementing a templating system and generating the output which gets sent to the web browser.
libpqxx: Interfacing with Postgres.
cppunit: Unit-testing critical or difficult-to-test bits.
It's not as hard as everyone likes to make it sound (assuming you are on the right side of the C++ learning curve). The real question is whether you want to spend your time writing a framework rather than actual applications.
absolutely insane. seems like its installing pip packages and running localhost in the browser? I don't 100% grasp what is happening underneath the hood. But usually you would launch the local server, browse over to http://localhost to view it in your browser. This is running the web server inside Web Assembly inside your browser? Is it then possible to expose that local web server inside web assembly to the internet? Crazy stuff! looks like its possible to speed up the initial load time by using web workers, very much eager to see that in action.
You've just described Sandstorm. Sandstorm runs instances (called grains) of applications in a sandbox. The application gets a limited file system and a Cap'n Proto RPC connection to the outside world over a unix socket. Sandstorm runs the HTTPS server, which turns requests into RPC calls. Sandstorm authenticates the users and provides temporary subdomains and frames to sandbox the HTML side of it.
You could do that, including figuring out your NAT/Firewall, how to proxy through apache to your app and have to worry about security. Or, you could just do this:
show 3100
I dunno, I'm a busy dude and my time isn't free. So I'd rather pay $5 a month to have someone figure this out for me and let me spend time leveraging it to build cool stuff of my own.
i dont need the web server response and i just want to send a ip spoofed http packet.
i dont care about the programming language, so any source code or program are welcome.
My first thought was to abuse the Web client. Run a server somewhere which hooks into JS in headless Chrome, parses commands and sends messages (requires a dummy user). The client could be based on the Web client, too. But I'm not sure if it's feasible and it's probably against the Terms of Use.
The IPC cost should not be significant compared to the rest of the web server code.
Can also ask them to do the work and provide a small open source in-process shim that sets up and talks to the sandboxed process.
reply