engineer-man piston Piston

A high performance general purpose code execution engine.


GitHub last commit GitHub issues GitHub pull requests

---

AboutPublic APIGetting StartedUsageSupported LanguagesPrinciplesSecurityLicense

---
# About

Piston is a high performance general purpose code execution engine. It excels at running untrusted and possibly malicious code without fear from any harmful effects.


It's used in numerous places including: * [EMKC Challenges](https://emkc.org/challenges), * [EMKC Weekly Contests](https://emkc.org/contests), * [Engineer Man Discord Server](https://discord.gg/engineerman), * [I Run Code (Discord Bot)](https://github.com/engineer-man/piston-bot) bot as well as 1300+ other servers and 100+ direct integrations. To get it in your own server, go here: https://emkc.org/run.
# Public API - Requires no installation and you can use it immediately. - Reference the Versions/Execute sections below to learn about the request and response formats.
When using the public Piston API, use the base URL: ``` https://emkc.org/api/v1/piston ``` #### GET ``` https://emkc.org/api/v1/piston/versions ``` #### POST ``` https://emkc.org/api/v1/piston/execute ``` > Important Note: The Piston API is rate limited to 5 requests per second. If you have a need for more requests than that and it's for a good cause, please reach out to me (EngineerMan#0001) on [Discord](https://discord.gg/engineerman) so we can discuss potentially getting you an unlimited key.
# Getting Started ### Host System Package Dependencies * NodeJS * lxc * libvirt
If your OS is not documented below, please open pull requests with the correct commands for your OS.
CentOS / RHEL ```sh curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash nvm install --lts nvm use --lts yum install -y epel-release yum install -y lxc lxc-templates debootstrap libvirt systemctl start libvirtd ```
Ubuntu (18.04) ```sh curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash nvm install --lts nvm use --lts apt install -y lxc lxc-templates debootstrap libvirt0 ```
Arch Linux ```sh curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash nvm install --lts nvm use --lts pacman -S lxc libvirt unzip ```
#### After system dependencies are installed, clone this repository: ```sh # clone and enter repo git clone https://github.com/engineer-man/piston cd piston/lxc ``` #### Installation (simple) - Coming soon. #### Installation (advanced) - See `var/install.txt` for how to create a new LXC container and install all of the required software. #### CLI Usage - `cli/execute [language] [file path] [args]`
# Usage ### CLI ```sh lxc/execute [language] [file path] [args] ``` ### API To use the API, it must first be started. Please note that if root is required to access LXC then the API must also be running as root. To start the API, run the following: ``` cd api ./start ``` For your own local installation, the API is available at ``` http://127.0.0.1:2000 ``` #### Versions Endpoint `GET /versions` This endpoint takes no input and returns a JSON array of the currently installed languages. Truncated response sample: ```json HTTP/1.1 200 OK Content-Type: application/json [ { "name": "awk", "aliases": ["awk"], "version": "1.3.3" }, { "name": "bash", "aliases": ["bash"], "version": "4.4.20" }, { "name": "c", "aliases": ["c"], "version": "7.5.0" } ] ``` #### Execute Endpoint `POST /execute` This endpoint takes the following JSON payload and expects at least the language and source. If source is not provided, a blank file is passed as the source. If no `args` are desired, it can either be an empty array or left out entirely. ```json { "language": "js", "source": "console.log(process.argv)", "args": [ "1", "2", "3" ] } ``` A typical response upon successful execution will contain the `language`, `version`, `output` which is a combination of both `stdout` and `stderr` but in chronological order according to program output, as well as separate `stdout` and `stderr`. ```json HTTP/1.1 200 OK Content-Type: application/json { "ran": true, "language": "js", "version": "12.13.0", "output": "[ '/usr/bin/node',\n '/tmp/code.code',\n '1',\n '2',\n '3' ]", "stdout": "[ '/usr/bin/node',\n '/tmp/code.code',\n '1',\n '2',\n '3' ]", "stderr": "" } ``` If an invalid language is supplied, a typical response will look like the following: ```json HTTP/1.1 400 Bad Request Content-Type: application/json { "message": "Provided language is not supported by Piston" } ```
# Supported Languages | | | |:---------:|------------| | awk | julia | | bash | kotlin | | brainfuck | lua | | c | nasm | | cpp | node | | csharp | paradoc | | deno | perl | | erlang | php | | elixir | python2 | | emacs | python3 | | elisp | ruby | | go | rust | | haskell | swift | | java | typescript | | jelly | |
# Principle of Operation Piston utilizes LXC as the primary mechanism for sandboxing. There is a small API written in Node which takes in execution requests and executes them in the container. High level, the API writes a temporary source and args file to `/tmp` and that gets mounted read-only along with the execution scripts into the container. The source file is either ran or compiled and ran (in the case of languages like c, c++, c#, go, etc.).
# Security LXC provides a great deal of security out of the box in that it's separate from the system. Piston takes additional steps to make it resistant to various privilege escalation, denial-of-service, and resource saturation threats. These steps include: - Disabling outgoing network interaction - Capping max processes at 64 (resists `:(){ :|: &}:;`, `while True: os.fork()`, etc.) - Capping max files at 2048 (resists various file based attacks) - Mounting all resources read-only (resists `sudo rm -rf --no-preserve-root /`) - Cleaning up all temp space after each execution (resists out of drive space attacks) - Running as a variety of unprivileged users - Capping runtime execution at 3 seconds - Capping stdout to 65536 characters (resists yes/no bombs and runaway output) - SIGKILLing misbehaving code
# License Piston is licensed under the MIT license.