The following code file structure outlines the organization of the project:
The core functionality has two entry points: the HTTP
service entry for DifySandbox
and the dynamic link library
entry. When the Sandbox runs code, it first generates a temporary code file. This file begins by calling the dynamic link library
to initialize the runtime environment (the Sandbox
). The user’s code is then executed within this temporary file, ensuring that the system remains protected from potentially harmful user-submitted code.
The dynamic link library uses Seccomp
to restrict system calls. The static
directory contains nodejs_syscall
and python_syscall
files, which provide system call whitelists for both ARM64
and AMD64
architectures. There are four files in total. Please do not modify these files unless absolutely necessary.
For minor issues like Typos
and Bugs
, feel free to submit a Pull Request
. For major changes or Feature
-level submissions, please open an Issue
first to facilitate discussion.
Here are some items we’re currently considering. If you’re interested, you can choose one to contribute:
Python
and Node.js
. Consider adding support for new languages.ARM64
and AMD64
architectures, and provide CI
testing to ensure security for any new language.Python
dependencies, which can be automatically installed during Sandbox initialization. However, due to the complexity of node_modules
, we haven’t yet found a good solution for Node.js
. This is an area open for improvement.Sandbox
would be valuable.Pillow
, and enable passing images into the Sandbox
for processing in Dify
.CI
testing:
CI
testing is limited and includes only basic test cases. More comprehensive testing would be beneficial.Sandbox
to generate multimodal data, such as combining text and images.Edit this page | Report an issue
The following code file structure outlines the organization of the project:
The core functionality has two entry points: the HTTP
service entry for DifySandbox
and the dynamic link library
entry. When the Sandbox runs code, it first generates a temporary code file. This file begins by calling the dynamic link library
to initialize the runtime environment (the Sandbox
). The user’s code is then executed within this temporary file, ensuring that the system remains protected from potentially harmful user-submitted code.
The dynamic link library uses Seccomp
to restrict system calls. The static
directory contains nodejs_syscall
and python_syscall
files, which provide system call whitelists for both ARM64
and AMD64
architectures. There are four files in total. Please do not modify these files unless absolutely necessary.
For minor issues like Typos
and Bugs
, feel free to submit a Pull Request
. For major changes or Feature
-level submissions, please open an Issue
first to facilitate discussion.
Here are some items we’re currently considering. If you’re interested, you can choose one to contribute:
Python
and Node.js
. Consider adding support for new languages.ARM64
and AMD64
architectures, and provide CI
testing to ensure security for any new language.Python
dependencies, which can be automatically installed during Sandbox initialization. However, due to the complexity of node_modules
, we haven’t yet found a good solution for Node.js
. This is an area open for improvement.Sandbox
would be valuable.Pillow
, and enable passing images into the Sandbox
for processing in Dify
.CI
testing:
CI
testing is limited and includes only basic test cases. More comprehensive testing would be beneficial.Sandbox
to generate multimodal data, such as combining text and images.Edit this page | Report an issue