piston/readme.md

353 lines
10 KiB
Markdown
Raw Normal View History

2021-02-21 01:37:21 +01:00
<h1 align="center">
2021-04-23 04:30:01 +02:00
<a href="https://github.com/engineer-man/piston">
2021-04-23 04:34:04 +02:00
<img src="var/docs/images/piston.svg" valign="middle" width="58" height="58" alt="engineer-man piston" />
2021-04-23 04:30:01 +02:00
</a>
2021-04-23 04:34:10 +02:00
<span valign="middle">
2021-04-23 04:30:01 +02:00
Piston
</span>
2021-02-21 01:37:21 +01:00
</h1>
<h3 align="center">A high performance general purpose code execution engine.</h3>
2021-04-23 04:30:01 +02:00
2021-02-21 01:37:21 +01:00
<br>
<p align="center">
<a href="https://github.com/engineer-man/piston/commits/master">
<img src="https://img.shields.io/github/last-commit/engineer-man/piston.svg?style=for-the-badge&logo=github&logoColor=white"
alt="GitHub last commit">
<a href="https://github.com/engineer-man/piston/issues">
<img src="https://img.shields.io/github/issues/engineer-man/piston.svg?style=for-the-badge&logo=github&logoColor=white"
alt="GitHub issues">
<a href="https://github.com/engineer-man/piston/pulls">
<img src="https://img.shields.io/github/issues-pr-raw/engineer-man/piston.svg?style=for-the-badge&logo=github&logoColor=white"
alt="GitHub pull requests">
</p>
---
<h4 align="center">
<a href="#About">About</a>
<a href="#Public-API">Public API</a>
<a href="#Getting-Started">Getting Started</a>
<a href="#Usage">Usage</a>
<a href="#Supported-Languages">Supported Languages</a>
<a href="#Principle-of-Operation">Principles</a>
<a href="#Security">Security</a>
<a href="#License">License</a>
</h4>
---
<br>
# About
<h4>
2021-04-23 04:30:01 +02:00
Piston is a high performance general purpose code execution engine. It excels at running untrusted and
possibly malicious code without fear from any harmful effects.
2021-02-21 01:37:21 +01:00
</h4>
2021-04-23 04:30:01 +02:00
2021-02-21 01:37:21 +01:00
<br>
It's used in numerous places including:
2021-04-23 04:30:01 +02:00
* [EMKC Challenges](https://emkc.org/challenges)
* [EMKC Weekly Contests](https://emkc.org/contests)
* [Engineer Man Discord Server](https://discord.gg/engineerman)
2021-04-24 19:41:37 +02:00
* Web IDEs
2021-04-24 19:39:31 +02:00
* 200+ direct integrations
2021-02-21 01:37:21 +01:00
<br>
2021-04-23 04:30:01 +02:00
### Official Extensions
The following are approved and endorsed extensions/utilities to the core Piston offering.
2021-04-24 19:41:37 +02:00
- [I Run Code](https://github.com/engineer-man/piston-bot), a Discord bot used in 4100+ servers to handle arbitrary code evaluation in Discord. To get this bot in your own server, go here: https://emkc.org/run.
2021-04-23 04:30:01 +02:00
- [Piston CLI](https://github.com/Shivansh-007/piston-cli), a universal shell supporting code highlighting, files, and interpretation without the need to download a language.
<br>
2021-02-21 01:37:21 +01:00
# Public API
- Requires no installation and you can use it immediately.
- Reference the Runtimes/Execute sections below to learn about the request and response formats.
2021-02-21 01:37:21 +01:00
<br>
When using the public Piston API, use the following two URLs:
2021-02-21 01:37:21 +01:00
```
GET https://emkc.org/api/v2/piston/runtimes
POST https://emkc.org/api/v2/piston/execute
2021-02-21 01:37:21 +01:00
```
> Important Note: The Piston API is rate limited to 5 requests per second. If you have a need for more requests than that
and it's for a good cause, please reach out to me (EngineerMan#0001) on [Discord](https://discord.gg/engineerman)
so we can discuss potentially getting you an unlimited key.
<br>
# Getting Started
2021-03-20 05:06:35 +01:00
## All In One
2021-02-21 01:37:21 +01:00
### Host System Package Dependencies
- Docker
- Docker Compose
- Node JS
2021-03-20 05:06:35 +01:00
### After system dependencies are installed, clone this repository:
2021-02-21 01:37:21 +01:00
```sh
# clone and enter repo
git clone https://github.com/engineer-man/piston
```
### Installation
2021-03-20 05:10:53 +01:00
```sh
# Start the API container
2021-04-23 01:43:21 +02:00
docker-compose up -d api
2021-03-20 05:10:53 +01:00
# Install all the dependencies for the cli
2021-04-23 01:43:21 +02:00
cd cli && npm i && cd -
2021-03-20 05:10:53 +01:00
```
2021-03-20 05:06:35 +01:00
## Just Piston (no CLI)
### Host System Package Dependencies
- Docker
2021-02-21 01:37:21 +01:00
2021-03-20 05:06:35 +01:00
### Installation
```sh
2021-04-23 05:27:50 +02:00
docker run \
-v $PWD:'/piston' \
--tmpfs /piston/jobs \
-dit \
-p 2000:2000 \
--name piston_api \
ghcr.io/engineer-man/piston
2021-03-20 05:06:35 +01:00
```
2021-02-21 01:37:21 +01:00
<br>
# Usage
### CLI
2021-03-20 05:06:35 +01:00
The CLI is the main tool used for installing packages within piston, but also supports running code.
You can execute the cli with `cli/index.js`.
2021-02-21 01:37:21 +01:00
```sh
2021-03-20 05:06:35 +01:00
# List all available packages
cli/index.js ppman list
2021-02-21 01:37:21 +01:00
2021-04-23 05:15:47 +02:00
# Install latest python
cli/index.js ppman install python
2021-04-23 05:27:50 +02:00
# Install specific version of python
cli/index.js ppman install python 3.9.4
2021-04-06 07:34:08 +02:00
2021-04-23 05:27:50 +02:00
# Run a python script using the latest version
echo 'print("Hello world!")' > test.py
2021-04-23 05:15:47 +02:00
cli/index.js run python test.py
2021-04-06 07:34:08 +02:00
2021-04-23 05:27:50 +02:00
# Run a python script using a specific version
echo 'print("Hello world!")' > test.py
cli/index.js run python test.py -l 3.9.4
2021-04-23 05:15:47 +02:00
cli/index.js run python test.py -l 3.x
2021-04-23 05:27:50 +02:00
cli/index.js run python test.py -l 3
2021-02-21 01:37:21 +01:00
```
2021-03-20 05:06:35 +01:00
If you are operating on a remote machine, add the `-u` flag like so:
2021-02-21 01:37:21 +01:00
2021-03-20 05:06:35 +01:00
```sh
cli/index.js -u http://piston.server:2000 ppman list
2021-02-21 01:37:21 +01:00
```
2021-03-20 05:06:35 +01:00
### API
The container exposes an API on port 2000 by default.
2021-04-23 01:43:21 +02:00
This is used by the CLI to carry out running jobs and package management.
2021-03-20 05:06:35 +01:00
#### Runtimes Endpoint
`GET /api/v2/runtimes`
2021-03-28 21:29:28 +02:00
This endpoint will return the supported languages along with the current version and aliases. To execute
code for a particular language using the `/api/v2/execute` endpoint, either the name or one of the aliases must
2021-03-20 05:06:35 +01:00
be provided, along with the version.
Multiple versions of the same language may be present at the same time, and may be selected when running a job.
2021-02-21 01:37:21 +01:00
```json
HTTP/1.1 200 OK
Content-Type: application/json
[
2021-04-23 04:30:01 +02:00
{
"language": "bash",
"version": "5.1.0",
"aliases": [
"sh"
]
},
{
"language": "brainfuck",
"version": "2.7.3",
"aliases": [
"bf"
]
},
...
2021-02-21 01:37:21 +01:00
]
```
#### Execute Endpoint
`POST /api/v2/execute`
2021-02-21 01:37:21 +01:00
This endpoint requests execution of some arbitrary code.
2021-03-20 05:06:35 +01:00
- `language` (**required**) The language to use for execution, must be a string and must be installed.
- `version` (**required**) The version of the language to use for execution, must be a string containing a SemVer selector for the version or the specific version number to use.
2021-04-23 01:52:50 +02:00
- `files` (**required**) An array of files containing code or other data that should be used for execution. The first file in this array is considered the main file.
2021-04-23 04:39:44 +02:00
- `files[].name` (*optional*) The name of the file to upload, must be a string containing no path or left out.
2021-03-20 05:06:35 +01:00
- `files[].content` (**required**) The content of the files to upload, must be a string containing text to write.
2021-04-23 04:39:44 +02:00
- `stdin` (*optional*) The text to pass as stdin to the program. Must be a string or left out. Defaults to blank string.
- `args` (*optional*) The arguments to pass to the program. Must be an array or left out. Defaults to `[]`.
- `compile_timeout` (*optional*) The maximum time allowed for the compile stage to finish before bailing out in milliseconds. Must be a number or left out. Defaults to `10000` (10 seconds).
- `run_timeout` (*optional*) The maximum time allowed for the run stage to finish before bailing out in milliseconds. Must be a number or left out. Defaults to `3000` (3 seconds).
- `compile_memory_limit` (*optional*) The maximum amount of memory the compile stage is allowed to use in bytes. Must be a number or left out. Defaults to `-1` (no limit)
- `run_memory_limit` (*optional*) The maximum amount of memory the run stage is allowed to use in bytes. Must be a number or left out. Defaults to `-1` (no limit)
2021-03-20 05:06:35 +01:00
2021-02-21 01:37:21 +01:00
```json
{
"language": "js",
2021-03-20 05:06:35 +01:00
"version": "15.10.0",
2021-04-23 04:30:01 +02:00
"files": [
2021-03-20 05:06:35 +01:00
{
"name": "my_cool_code.js",
"content": "console.log(process.argv)"
}
],
2021-02-21 01:37:21 +01:00
"stdin": "",
"args": [
"1",
"2",
"3"
2021-03-20 05:06:35 +01:00
],
"compile_timeout": 10000,
"run_timeout": 3000,
"compile_memory_limit": -1,
"run_memory_limit": -1
2021-02-21 01:37:21 +01:00
}
```
2021-03-20 05:06:35 +01:00
A typical response upon successful execution will contain 1 or 2 keys `run` and `compile`.
`compile` will only be present if the language requested requires a compile stage.
Each of these keys has an identical structure, containing both a `stdout` and `stderr` key, which is a string containing the text outputted during the stage into each buffer.
It also contains the `code` and `signal` which was returned from each process.
2021-02-21 01:37:21 +01:00
```json
HTTP/1.1 200 OK
Content-Type: application/json
{
"language": "js",
"version": "15.10.0",
2021-04-23 04:30:01 +02:00
"run": {
"stdout": "[\n '/piston/packages/node/15.10.0/bin/node',\n '/piston/jobs/9501b09d-0105-496b-b61a-e5148cf66384/my_cool_code.js',\n '1',\n '2',\n '3'\n]\n",
"stderr": "",
"output": "[\n '/piston/packages/node/15.10.0/bin/node',\n '/piston/jobs/9501b09d-0105-496b-b61a-e5148cf66384/my_cool_code.js',\n '1',\n '2',\n '3'\n]\n",
2021-04-23 04:30:01 +02:00
"code": 0,
"signal": null
}
2021-02-21 01:37:21 +01:00
}
```
2021-04-23 04:30:01 +02:00
2021-02-21 01:37:21 +01:00
If a problem exists with the request, a `400` status code is returned and the reason in the `message` key.
```json
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
2021-03-20 05:06:35 +01:00
"message": "html-5.0.0 runtime is unknown"
2021-02-21 01:37:21 +01:00
}
```
<br>
2021-01-16 18:01:35 +01:00
# Supported Languages
2021-01-22 09:45:52 +01:00
`bash`,
`brainfuck`,
2021-04-23 05:08:00 +02:00
`cjam`,
`clojure`,
2021-04-06 07:38:30 +02:00
`coffeescript`,
`cow`,
2021-01-23 22:40:25 +01:00
`crystal`,
2021-04-06 07:38:30 +02:00
`dart`,
2021-01-23 22:40:25 +01:00
`dash`,
2021-01-22 09:45:52 +01:00
`deno`,
2021-04-06 07:38:30 +02:00
`dotnet`,
2021-04-23 05:08:00 +02:00
`dragon`,
2021-01-22 09:45:52 +01:00
`elixir`,
`emacs`,
2021-04-06 07:38:30 +02:00
`erlang`,
`gawk`,
`gcc`,
2021-01-22 09:45:52 +01:00
`go`,
2021-04-23 05:08:00 +02:00
`golfscript`,
2021-04-06 07:38:30 +02:00
`groovy`,
2021-01-22 09:45:52 +01:00
`haskell`,
`java`,
`jelly`,
`julia`,
`kotlin`,
2021-01-23 22:40:25 +01:00
`lisp`,
2021-03-12 20:18:43 +01:00
`lolcode`,
2021-01-22 09:45:52 +01:00
`lua`,
2021-04-06 07:38:30 +02:00
`mono`,
2021-01-22 09:45:52 +01:00
`nasm`,
2021-01-23 22:45:42 +01:00
`nim`,
2021-01-22 09:45:52 +01:00
`node`,
2021-04-06 07:38:30 +02:00
`ocaml`,
2021-01-27 16:53:59 +01:00
`osabie`,
2021-01-22 09:45:52 +01:00
`paradoc`,
2021-04-06 07:38:30 +02:00
`pascal`,
2021-01-22 09:45:52 +01:00
`perl`,
`php`,
2021-04-23 05:08:00 +02:00
`ponylang`,
2021-04-06 07:38:30 +02:00
`prolog`,
`pure`,
`python`,
`rockstar`,
2021-01-22 09:45:52 +01:00
`ruby`,
`rust`,
2021-02-05 05:03:17 +01:00
`scala`,
2021-01-22 09:45:52 +01:00
`swift`,
`typescript`,
2021-04-06 07:38:30 +02:00
`vlang`,
`yeethon`,
2021-01-23 22:40:25 +01:00
`zig`,
2021-01-16 18:01:35 +01:00
<br>
2021-02-21 01:37:21 +01:00
# Principle of Operation
2021-03-20 05:06:35 +01:00
Piston uses Docker as the primary mechanism for sandboxing. There is an API within the container written in Node
which takes in execution requests and executees them within the container safely.
High level, the API writes any source code to a temporary directory in `/piston/jobs`.
2021-02-21 01:37:21 +01:00
The source file is either ran or compiled and ran (in the case of languages like c, c++, c#, go, etc.).
<br>
2021-03-20 05:06:35 +01:00
2021-02-21 01:37:21 +01:00
# Security
2021-03-20 05:06:35 +01:00
Docker provides a great deal of security out of the box in that it's separate from the system.
2021-02-21 01:37:21 +01:00
Piston takes additional steps to make it resistant to
various privilege escalation, denial-of-service, and resource saturation threats. These steps include:
- Disabling outgoing network interaction
2021-03-20 05:06:35 +01:00
- Capping max processes at 256 by default (resists `:(){ :|: &}:;`, `while True: os.fork()`, etc.)
2021-02-21 01:37:21 +01:00
- Capping max files at 2048 (resists various file based attacks)
- Cleaning up all temp space after each execution (resists out of drive space attacks)
- Running as a variety of unprivileged users
- Capping runtime execution at 3 seconds
- Capping stdout to 65536 characters (resists yes/no bombs and runaway output)
- SIGKILLing misbehaving code
2021-03-20 05:06:35 +01:00
2021-02-21 01:37:21 +01:00
<br>
# License
Piston is licensed under the MIT license.