Running v8 itself as a sandbox is non-trivial, at least embedded in a Python or Node.js or similar application.

The web is littered with libraries that half do that and then have a note in the README that says "do not rely on this as a secure sandbox".

▲

MobiusHorizons 6 hours ago | parent [-]

Is it though? I have not personally used these libraries, but a cursory google search reveals several options: - cloudflare/STPyV8: [0] From cloudflare, intended for executing untrusted code. - Pythonmonkey: [1] Embeds spidermonkey. Not clearly security focused, but sandboxing untrusted code is literally the point of browser js engines.

It's a little less clear how you would do this from node, but the v8 embedding instructions should work https://v8.dev/docs/embed even if nodejs is already a copy of v8.

[0]: https://github.com/cloudflare/stpyv8 [1]: https://docs.pythonmonkey.io

	▲	simonw 5 hours ago \| parent [-]
		... whoa, I don't know how I missed it but I hadn't seen STPyV8 before. I'd seen PyV8 and ruled it out as very unmaintained. One of my requirements for a sandbox is that it needs to me maintained by a team of professionals who are running a multi-million dollar business on it. Cloudflare certainly count! I wonder what they use STPyV8 for themselves? ... on closer inspection it doesn't seem to have the feature I care most about: the ability to constrain memory usage (see comment here https://github.com/cloudflare/stpyv8/blob/57e881c7fbe178c598...) - and there's no built-in support for time limits either, you have to cancel tasks from a separate thread: https://github.com/cloudflare/stpyv8/issues/112 PythonMonkey looks promising too: the documentation says "MVP as of September 2024" so clearly it's intended to be stable for production use at this point.