Scastie: use any Scala compiler and Scala library in the browser (opens in new tab)

(scala-lang.org)

170 pointsheathermiller8y ago33 comments

33 comments

(naturally, the very first thing I tried to evaluate is scala.io.Source.fromFile("/etc/passwd").getLines.mkString("\n") . Spoiler alert: it works!)

masgui8y ago

It does and you are root. You are evaluating inside a docker container. It's not a bulletproof method but it will stop a few. The instances evaluating your code is also on a network not accessible from the internet. I'm not an expert in security, if you have any advice on how we can improve our defence please tell us.

atemerev8y ago

I am not a pentesting expert. My first reaction is to leave everything as is, as it is a very cool to play with root access to docker containers (I managed to reboot one, but a new one immediately appeared on page reload).

My worst concern now would be network security. With root access, it is trivial to e.g. install spambots in all your containers (just checked, command execution works, and external network access is enabled). I think it is a good idea to at least disable networking. (Update: and use a minimal Docker image like Alpine Linux).

Proof:

[__REDACTED__]

2 more replies

clhodapp8y ago

The general rule is that you want as many layers of security as you can get away with without making things impractically inconvenient. In this case, the first step is probably not letting the user's code run as root in the container. Gaining container-root is going to be the first step in many, many exploits and by letting code just run that way, you are giving a potential attacker that step for free.

Disclaimer: Absolutely not a security expert, just someone who is somewhat on the hook for security!

wsargent8y ago

I put together a list of security tips:

https://github.com/wsargent/docker-cheat-sheet#security-tips

Probably the biggest one is to use Virtualbox or another virtual machine so that Docker isn't your only line of defence.

1 more reply

ronjouch8y ago

Thumbs up for the honest upfront response!

Maybe Jessica McKellar's "Building and Breaking a Python Sandbox" talk can bring some ideas. (But maybe not! It might be too Python-specific or too language-level whereas you want to remain at a higher level with just Docker)

Video: https://www.youtube.com/watch?v=sL_syMmRkoU

Slides: https://speakerdeck.com/pycon2014/building-and-breaking-a-py...

eranation8y ago

Congrats Guillaume! How much of ScalaKata code is in there? Sorry if I missed it in the post, but is Scastie open source? I'd love to finally fix scalatutorials.com :) p.s. did you guys consider using a "serverless" architecture to isolate runners instead of docker? Also, are you running it with java -Djava.security.manager? If not then why?

1 more reply

j_s8y ago

I recommend to at least wrap all the containers in a VM between the docker containers and your server-side orchestration code.

SELinux also helps, from what I've read.

https://news.ycombinator.com/item?id=14245428

monksy8y ago

/etc/shadow works as well :S But there are not encrypted bits in it.

atemerev8y ago

Hi Heather!

Looks like you've got a Hacker News effect on your shoulders. :) Servers seem to be overloaded.

TeMPOraL8y ago

Nah, that's probably just Hacker Effect of people rebooting the container ;).

masgui8y ago

Working for me (TM).

drewda8y ago

Seems like the Scala and SBT equivalent of https://npm.runkit.com/ (which allows in-browser use of Node and NPM packages)

mark_l_watson8y ago

This looks cool, I just experimented with it. I am curious: what is the business model for this? Server costs are probably fairly expensive.

masgui8y ago

We are the [Scala Center](https://scala.epfl.ch). We are a non-profit organization. Our revenue is from donations. This service will be forever free.

stephen1238y ago

Its great to see so much good stuff going on in Scala land!

wiradikusuma8y ago

I'm a Scala developer but I don't understand what is Scastie. How does it benefit from the perspective of developers like me?

richardwhiuk8y ago

It's an interactive playground for Scala so you can share code and send it to other people.

https://scastie.scala-lang.org/

hayd8y ago

Will this allow running a play app? (with debug etc) ??

masgui8y ago

Yes it can run anything sbt can.

https://scastie.scala-lang.org/MasseGuillaume/62vmEr9XR0qDWw...

freekh8y ago

This looks so cool!!! Can't wait to try it out!

aghll0ihph2bbe88y ago

How am I supposed to dismiss this modal window? http://i.imgur.com/atx6KsX.png

masgui8y ago

hum this look like a but in safari https://github.com/scalacenter/scastie/issues/. You can visit this link: https://scastie.scala-lang.org/MasseGuillaume/kHn9lemPTayxoY... and it will clear the modal.

j / k navigate · click thread line to collapse

33 comments

atemerev8y ago

(naturally, the very first thing I tried to evaluate is scala.io.Source.fromFile("/etc/passwd").getLines.mkString("\n") . Spoiler alert: it works!)

masgui8y ago

atemerev8y ago

Proof:

[__REDACTED__]

2 more replies

clhodapp8y ago

Disclaimer: Absolutely not a security expert, just someone who is somewhat on the hook for security!

wsargent8y ago

I put together a list of security tips:

https://github.com/wsargent/docker-cheat-sheet#security-tips

Probably the biggest one is to use Virtualbox or another virtual machine so that Docker isn't your only line of defence.

1 more reply

ronjouch8y ago

Thumbs up for the honest upfront response!

Video: https://www.youtube.com/watch?v=sL_syMmRkoU

Slides: https://speakerdeck.com/pycon2014/building-and-breaking-a-py...

eranation8y ago

1 more reply

j_s8y ago

I recommend to at least wrap all the containers in a VM between the docker containers and your server-side orchestration code.

SELinux also helps, from what I've read.

https://news.ycombinator.com/item?id=14245428

monksy8y ago

/etc/shadow works as well :S But there are not encrypted bits in it.

atemerev8y ago

Hi Heather!

Looks like you've got a Hacker News effect on your shoulders. :) Servers seem to be overloaded.

TeMPOraL8y ago

Nah, that's probably just Hacker Effect of people rebooting the container ;).

masgui8y ago

Working for me (TM).

drewda8y ago

Seems like the Scala and SBT equivalent of https://npm.runkit.com/ (which allows in-browser use of Node and NPM packages)

mark_l_watson8y ago

This looks cool, I just experimented with it. I am curious: what is the business model for this? Server costs are probably fairly expensive.

masgui8y ago

We are the [Scala Center](https://scala.epfl.ch). We are a non-profit organization. Our revenue is from donations. This service will be forever free.

stephen1238y ago

Its great to see so much good stuff going on in Scala land!

wiradikusuma8y ago

I'm a Scala developer but I don't understand what is Scastie. How does it benefit from the perspective of developers like me?

richardwhiuk8y ago

It's an interactive playground for Scala so you can share code and send it to other people.

https://scastie.scala-lang.org/

hayd8y ago

Will this allow running a play app? (with debug etc) ??

masgui8y ago

Yes it can run anything sbt can.

https://scastie.scala-lang.org/MasseGuillaume/62vmEr9XR0qDWw...

freekh8y ago

This looks so cool!!! Can't wait to try it out!

aghll0ihph2bbe88y ago

How am I supposed to dismiss this modal window? http://i.imgur.com/atx6KsX.png

masgui8y ago

j / k navigate · click thread line to collapse