Deploy Docker sandbox with isolated container execution

Dockerfile

@@ -0,0 +1,50 @@
+# Multi-Language Code Execution Sandbox - Secure Docker Container
+FROM python:3.11-slim
+
+# Install system dependencies for multiple languages and security tools
+RUN apt-get update && apt-get install -y \
+    # Node.js & npm for React/JavaScript
+    nodejs npm \
+    # Build tools
+    build-essential \
+    gcc g++ \
+    # Security: Run as non-root user
+    sudo \
+    # Cleanup
+    && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user for sandbox execution
+RUN useradd -m -u 1000 -s /bin/bash sandbox && \
+    echo "sandbox ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+# Set working directory
+WORKDIR /app
+
+# Copy requirements and install Python dependencies
+COPY requirements_docker.txt /app/requirements.txt
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Install React dependencies globally
+RUN npm install -g react react-dom
+
+# Copy application code
+COPY app_docker.py /app/app.py
+COPY sandbox_executor.py /app/
+
+# Create execution directory with restricted permissions
+RUN mkdir -p /sandbox && \
+    chown sandbox:sandbox /sandbox && \
+    chmod 755 /sandbox
+
+# Switch to non-root user
+USER sandbox
+
+# Expose port 7860
+EXPOSE 7860
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+  CMD python -c "import requests; requests.get('http://localhost:7860/health')" || exit 1
+
+# Run the application
+CMD ["python", "app.py"]

app.py

@@ -0,0 +1,330 @@
+"""
+Docker-Based Sandbox Executor for Hugging Face Spaces
+Secure code execution using Docker containers
+"""
+from fastapi import FastAPI, HTTPException
+from fastapi.middleware.cors import CORSMiddleware
+from pydantic import BaseModel
+import subprocess
+import tempfile
+import os
+import time
+import base64
+from typing import Optional
+import docker
+from pathlib import Path
+
+app = FastAPI(title="Docker Sandbox Executor")
+
+# Enable CORS
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# Initialize Docker client
+try:
+    docker_client = docker.from_env()
+    DOCKER_AVAILABLE = True
+    print("✓ Docker client initialized successfully")
+except Exception as e:
+    DOCKER_AVAILABLE = False
+    print(f"⚠️ Docker not available: {e}")
+
+class CodeExecutionRequest(BaseModel):
+    language: str
+    code: str
+    timeout: Optional[int] = 30
+
+class SandboxDockerExecutor:
+    """Execute code in isolated Docker containers"""
+    
+    def __init__(self):
+        self.execution_count = 0
+        
+    def execute_in_docker(self, language: str, code: str, timeout: int = 30):
+        """Execute code in Docker container"""
+        self.execution_count += 1
+        start_time = time.time()
+        
+        try:
+            if language.lower() == "python":
+                return self._execute_python_docker(code, timeout)
+            elif language.lower() == "react":
+                return self._execute_react_docker(code, timeout)
+            elif language.lower() == "html":
+                return self._execute_html_docker(code, timeout)
+            elif language.lower() == "javascript":
+                return self._execute_javascript_docker(code, timeout)
+            else:
+                return False, "", f"❌ Unsupported language: {language}"
+                
+        except Exception as e:
+            return False, "", f"❌ Docker execution error: {str(e)}"
+    
+    def _execute_python_docker(self, code: str, timeout: int):
+        """Execute Python in Docker"""
+        container = None
+        try:
+            # Create container with resource limits
+            container = docker_client.containers.run(
+                "python:3.11-alpine",
+                f"python -c '{code}'",
+                detach=True,
+                mem_limit="256m",
+                cpu_period=100000,
+                cpu_quota=50000,  # 50% CPU
+                network_mode="none",  # No network access
+                remove=True
+            )
+            
+            # Wait for completion with timeout
+            result = container.wait(timeout=timeout)
+            logs = container.logs().decode('utf-8')
+            
+            success = result['StatusCode'] == 0
+            return success, logs, "" if success else logs
+            
+        except docker.errors.ContainerError as e:
+            return False, "", str(e)
+        except Exception as e:
+            return False, "", f"Container error: {str(e)}"
+        finally:
+            if container:
+                try:
+                    container.remove(force=True)
+                except:
+                    pass
+    
+    def _execute_react_docker(self, code: str, timeout: int):
+        """Execute React (generate HTML for client-side rendering)"""
+        html_content = f"""<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>React Sandbox #{self.execution_count}</title>
+    <script crossorigin src="https://unpkg.com/react@18/umd/react.production.min.js"></script>
+    <script crossorigin src="https://unpkg.com/react-dom@18/umd/react-dom.production.min.js"></script>
+    <script src="https://unpkg.com/@babel/standalone/babel.min.js"></script>
+    <style>
+        body {{
+            margin: 0;
+            padding: 0;
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', sans-serif;
+        }}
+        #root {{
+            width: 100%;
+            min-height: 100vh;
+        }}
+    </style>
+</head>
+<body>
+    <div id="root"></div>
+    <script type="text/babel">
+        {code}
+    </script>
+</body>
+</html>"""
+        return True, html_content, ""
+    
+    def _execute_html_docker(self, code: str, timeout: int):
+        """Execute HTML"""
+        if not code.strip().startswith('<!DOCTYPE') and not code.strip().startswith('<html'):
+            code = f"<!DOCTYPE html>\n{code}"
+        return True, code, ""
+    
+    def _execute_javascript_docker(self, code: str, timeout: int):
+        """Execute JavaScript in Docker"""
+        container = None
+        try:
+            container = docker_client.containers.run(
+                "node:18-alpine",
+                f"node -e '{code}'",
+                detach=True,
+                mem_limit="256m",
+                cpu_period=100000,
+                cpu_quota=50000,
+                network_mode="none",
+                remove=True
+            )
+            
+            result = container.wait(timeout=timeout)
+            logs = container.logs().decode('utf-8')
+            
+            success = result['StatusCode'] == 0
+            return success, logs, "" if success else logs
+            
+        except Exception as e:
+            return False, "", f"Container error: {str(e)}"
+        finally:
+            if container:
+                try:
+                    container.remove(force=True)
+                except:
+                    pass
+
+# Global executor
+executor = SandboxDockerExecutor()
+
+def format_terminal_html(language: str, success: bool, stdout: str, stderr: str, 
+                         execution_time: float, exec_id: int) -> str:
+    """Format terminal output as HTML"""
+    import html as html_module
+    
+    status_color = "#00ff00" if success else "#ff4444"
+    status_text = "✓ SUCCESS" if success else "✗ FAILED"
+    
+    stdout_escaped = html_module.escape(stdout) if stdout else ""
+    stderr_escaped = html_module.escape(stderr) if stderr else ""
+    
+    return f"""<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>🐳 Docker Sandbox Terminal #{exec_id}</title>
+    <style>
+        * {{ margin: 0; padding: 0; box-sizing: border-box; }}
+        body {{
+            background: #000;
+            color: #00ff00;
+            font-family: 'Courier New', monospace;
+            padding: 20px;
+            line-height: 1.6;
+        }}
+        .header {{
+            border-bottom: 2px solid #00ff00;
+            padding-bottom: 15px;
+            margin-bottom: 20px;
+        }}
+        h1 {{ color: #00ff00; font-size: 24px; margin-bottom: 10px; }}
+        .info {{
+            display: grid;
+            grid-template-columns: 150px 1fr;
+            gap: 10px;
+            margin-bottom: 20px;
+            font-size: 14px;
+        }}
+        .info-label {{ color: #888; }}
+        .info-value {{ color: #00ff00; }}
+        .status {{ color: {status_color}; font-weight: bold; font-size: 18px; }}
+        .output-section {{ margin: 20px 0; }}
+        .output-title {{
+            color: #00aaff;
+            font-size: 16px;
+            margin-bottom: 10px;
+            border-bottom: 1px solid #00aaff;
+            padding-bottom: 5px;
+        }}
+        .output-content {{
+            background: #111;
+            padding: 15px;
+            border-left: 3px solid #00ff00;
+            white-space: pre-wrap;
+            word-wrap: break-word;
+            max-height: 400px;
+            overflow-y: auto;
+        }}
+        .stderr {{ color: #ff6666; border-left-color: #ff4444; }}
+        .empty {{ color: #666; font-style: italic; }}
+        ::-webkit-scrollbar {{ width: 10px; }}
+        ::-webkit-scrollbar-track {{ background: #111; }}
+        ::-webkit-scrollbar-thumb {{ background: #00ff00; border-radius: 5px; }}
+    </style>
+</head>
+<body>
+    <div class="header">
+        <h1>🐳 DOCKER SANDBOX TERMINAL</h1>
+    </div>
+    <div class="info">
+        <div class="info-label">Execution ID:</div>
+        <div class="info-value">#{exec_id}</div>
+        <div class="info-label">Language:</div>
+        <div class="info-value">{language.upper()}</div>
+        <div class="info-label">Execution Time:</div>
+        <div class="info-value">{execution_time:.3f}s</div>
+        <div class="info-label">Status:</div>
+        <div class="status">{status_text}</div>
+    </div>
+    <div class="output-section">
+        <div class="output-title">📤 STDOUT</div>
+        <div class="output-content {'empty' if not stdout_escaped else ''}">
+            {stdout_escaped if stdout_escaped else '(no output)'}
+        </div>
+    </div>
+    {f'<div class="output-section"><div class="output-title">⚠️ STDERR</div><div class="output-content stderr">{stderr_escaped}</div></div>' if stderr_escaped else ''}
+</body>
+</html>"""
+
+@app.post("/execute")
+async def execute_code(request: CodeExecutionRequest):
+    """Execute code in Docker sandbox"""
+    
+    if not DOCKER_AVAILABLE:
+        raise HTTPException(status_code=503, detail="Docker not available in this environment")
+    
+    start_time = time.time()
+    
+    # Execute in Docker
+    success, stdout, stderr = executor.execute_in_docker(
+        request.language, 
+        request.code, 
+        request.timeout
+    )
+    
+    execution_time = time.time() - start_time
+    
+    # Generate terminal view
+    terminal_html = format_terminal_html(
+        request.language,
+        success,
+        stdout,
+        stderr,
+        execution_time,
+        executor.execution_count
+    )
+    
+    # Encode as data URLs
+    terminal_b64 = base64.b64encode(terminal_html.encode('utf-8')).decode('utf-8')
+    terminal_url = f"data:text/html;base64,{terminal_b64}"
+    
+    # For HTML/React, use stdout as preview
+    preview_url = None
+    if request.language.lower() in ["html", "react"]:
+        preview_b64 = base64.b64encode(stdout.encode('utf-8')).decode('utf-8')
+        preview_url = f"data:text/html;base64,{preview_b64}"
+    
+    return {
+        "status": "success" if success else "error",
+        "preview_url": preview_url,
+        "terminal_view_url": terminal_url,
+        "execution_time": execution_time,
+        "docker_enabled": True
+    }
+
+@app.get("/health")
+async def health_check():
+    """Health check endpoint"""
+    return {
+        "status": "healthy",
+        "docker_available": DOCKER_AVAILABLE
+    }
+
+@app.get("/")
+async def root():
+    """Root endpoint"""
+    return {
+        "message": "🐳 Docker Sandbox Executor API",
+        "docker_enabled": DOCKER_AVAILABLE,
+        "endpoints": {
+            "/execute": "POST - Execute code in Docker sandbox",
+            "/health": "GET - Health check"
+        }
+    }
+
+if __name__ == "__main__":
+    import uvicorn
+    uvicorn.run(app, host="0.0.0.0", port=7860)

requirements.txt

@@ -0,0 +1,5 @@
+fastapi
+uvicorn[standard]
+docker
+pydantic
+python-multipart