{"id":31677422,"url":"https://github.com/thecomputerm/localbox","last_synced_at":"2025-10-08T05:23:16.886Z","repository":{"id":314566359,"uuid":"1053275869","full_name":"TheComputerM/localbox","owner":"TheComputerM","description":"An easy-to-host, general purpose and fast code execution system for running untrusted code in sandboxes","archived":false,"fork":false,"pushed_at":"2025-10-01T07:52:02.000Z","size":420,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-01T09:11:47.634Z","etag":null,"topics":["isolate","sandbox"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TheComputerM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-09T08:20:02.000Z","updated_at":"2025-10-01T07:52:06.000Z","dependencies_parsed_at":"2025-09-13T09:54:14.528Z","dependency_job_id":"875bdf97-ddde-4bee-909c-4be3df04b793","html_url":"https://github.com/TheComputerM/localbox","commit_stats":null,"previous_names":["thecomputerm/localbox"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/TheComputerM/localbox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputerM%2Flocalbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputerM%2Flocalbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputerM%2Flocalbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputerM%2Flocalbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TheComputerM","download_url":"https://codeload.github.com/TheComputerM/localbox/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheComputerM%2Flocalbox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278891761,"owners_count":26063860,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["isolate","sandbox"],"created_at":"2025-10-08T05:23:12.686Z","updated_at":"2025-10-08T05:23:16.881Z","avatar_url":"https://github.com/TheComputerM.png","language":"Go","readme":"\u003cdiv\u003e\n  \u003ch1 style=\"text-align:center\"\u003eLocalBox\u003c/h1\u003e\n  \u003cp style=\"text-align:center\"\u003eAn \u003cb\u003eeasy-to-host\u003c/b\u003e, \u003cb\u003egeneral purpose\u003c/b\u003e and \u003cb\u003efast\u003c/b\u003e code execution system for running \u003cb\u003euntrusted\u003c/b\u003e code in sandboxes.\u003c/p\u003e\n\u003c/div\u003e\n\n## Why?\n\n[Piston](https://github.com/engineer-man/piston) and [Judge0](https://github.com/judge0/judge0) are already well established and tested code execution systems, so why the need to reinvent the wheel?\n\nBoth of these projects have some *issues* which did not fit my usecase, namely:\n\n1. In both Piston and Judge0\n    - You cannot install the latest versions of compilers and runtimes, you are only limited to the versions which the creators bothered to add and update.\n    - Very difficult to run arbitrary commands for specific usecases.\n2. In Piston\n    - Isolate doesn't share cgroups with host system which can lead to inaccurate program limits and runtime metrics.\n    - All programs are run in bash which adds additional overhead to measuring program runtime metrics.\n    - You have to compile/build the runtime on your system for many languages instead of getting prebuilt binaries.\n3. In Judge0\n    - Only supports outdated linux cgroups v1, you will have to change kernel options in any machine with a recent linux kernel.\n    - Cannot take multiple files as input.\n\n## Getting Started\n\n### With Docker\n\nThe image exposes port 2000 by default, the `--privileged --cgroupns=host` are important as they allow localbox to manipulate cgroups.\n\n```sh\ndocker run --rm -it --privileged --cgroupns=host -p 2000:2000 ghcr.io/thecomputerm/localbox:latest\n```\n\n## Usage\n\nYou can visit http://localhost:2000/docs to get the full API documentation.\n\n![API Docs](./assets/api.png)\n\nHere are the options you can provide the sandbox with to configure it:\n\n```go\ntype SandboxPhaseOptions struct {\n\tMemoryLimit   int               `json:\"memory_limit,omitempty\" doc:\"Maximum total memory usage allowed by the whole control group in KB, '-1' for no limit\" default:\"-1\"`\n\tTimeLimit     int               `json:\"time_limit,omitempty\" doc:\"Maximum CPU time of the program in milliseconds, '-1' for no limit\" default:\"5000\"`\n\tWallTimeLimit int               `json:\"wall_time_limit,omitempty\" doc:\"Maximum wall time of the program in milliseconds, '-1' for no limit\" default:\"10000\"`\n\tFilesLimit    int               `json:\"files_limit,omitempty\" doc:\"Maximum number of open files allowed in the sandbox, '-1' for no limit\" default:\"64\"`\n\tFileSizeLimit int               `json:\"file_size_limit,omitempty\" doc:\"Maximum size a file created/modified in the sandbox in KB, -1 for no limit\" default:\"10000\"`\n\tProcessLimit  int               `json:\"process_limit,omitempty\" doc:\"Maximum number of processes allowed in the sandbox\" default:\"64\"`\n\tNetwork       bool              `json:\"network,omitempty\" doc:\"Whether to enable network access in the sandbox\" default:\"false\"`\n\tStdin         string            `json:\"stdin,omitempty\" doc:\"Text to pass into stdin of the program\" default:\"\"`\n\tBufferLimit   int               `json:\"buffer_limit,omitempty\" doc:\"Maximum kilobytes to capture from stdout and stderr\" default:\"8\"`\n\tEnvironment   map[string]string `json:\"environment,omitempty\" doc:\"Environment variables to set in the sandbox\" example:\"{}\"`\n}\n```\n\nAnd here are the options you have to define to mount files in the sandbox\n\n```go\ntype SandboxFile struct {\n\tName     string `json:\"name\" doc:\"Path of the file within the sandbox\" example:\"hello.txt\"`\n\tContent  string `json:\"content\" doc:\"Content of the file\" example:\"Hello World\"`\n\tEncoding string `json:\"encoding,omitempty\" doc:\"Encoding of the content field\" enum:\"utf8,base64,hex\" default:\"utf8\" `\n}\n```\n\n### Using an Engine\n\n`GET /engine`: List all the available engines.\n\nHere is a [list of available languages/runtimes](./engines/) packaged as engines, these provide preconfigured compile and execute steps so you don't have to set stuff up.\n\n`POST /engine/{engine_name}/execute`: Execute a predefined engine with an execution phase whose options can be overridden.\n\n```jsonc\n// Request Body\n{\n  \"options\": {\n    \"stdin\": \"hello world\"\n  },\n  \"files\": [\n    {\n      \"content\": \"print(input())\",\n      \"encoding\": \"utf8\",\n      \"name\": \"@\" // use \"@\" to denote that this file is the main executable for the engine\n    }\n  ]\n}\n\n// Response\n{\n  \"$schema\": \"http://localhost:2000/schemas/SandboxPhaseResults.json\",\n  \"time\": 24,\n  \"wall_time\": 55,\n  \"memory\": 6748,\n  \"max_rss\": 11212,\n  \"status\": \"OK\",\n  \"message\": \"Executed\",\n  \"exit_code\": 0,\n  \"stdout\": \"hello world\",\n  \"stderr\": \"\"\n}\n```\n\n```go\ntype SandboxPhaseMetadata struct {\n\tTime     int    `json:\"time\" doc:\"Run time of the program in milliseconds\" example:\"500\"`\n\tWallTime int    `json:\"wall_time\" doc:\"Wall time of the program in milliseconds\" example:\"1000\"`\n\tMemory   int    `json:\"memory\" doc:\"Total memory use by the whole control group in KB\" example:\"256\"`\n\tMaxRSS   int    `json:\"max_rss\" doc:\"Maximum resident set size of the program in KB\" example:\"128\"`\n\tStatus   string `json:\"status\" doc:\"Two-letter status code\" example:\"OK\" enum:\"OK,RE,SG,TO,XX,OE,CE\"`\n\tMessage  string `json:\"message\" doc:\"Human-readable message\" example:\"Executed\"`\n\tExitCode int    `json:\"exit_code\" doc:\"Exit code/signal from the program\" example:\"0\"`\n}\n\ntype SandboxPhaseResults struct {\n\tSandboxPhaseMetadata\n\tStdout string `json:\"stdout\" doc:\"stdout of the program\" example:\"program output\"`\n\tStderr string `json:\"stderr\" doc:\"stderr of the program\" example:\"\"`\n}\n```\n\n### Custom workflow\n\nInstead of using a predefined engine, you can go the full custom route by specifying your own packages, commands and options for each phase.\n\n```go\ntype SandboxPhase struct {\n\tCommand   string   `json:\"command\" doc:\"Command to execute in the sandbox\" example:\"cat hello.txt\"`\n\tSkipShell bool     `json:\"skip_shell,omitempty\" doc:\"Doesn't use a shell to run the command to if true, can be used to get more accurate results\" default:\"false\"`\n\tPackages  []string `json:\"packages,omitempty\" doc:\"Nix packages to install in the sandbox\" example:\"nixpkgs#cowsay,nixpkgs/nixos-25.05#busybox\"`\n}\n```\n\n`POST /execute`: Execute a series of phases, where each of them can have different options, packages and commands with persistent files.\n\n```jsonc\n// Request Body\n{\n  \"files\": [\n    {\n      \"content\": \"Hello World\",\n      \"encoding\": \"utf8\",\n      \"name\": \"hello.txt\"\n    }\n  ],\n  \"phases\": [\n    {\n      \"buffer_limit\": 8,\n      \"command\": \"cat hello.txt\",\n      \"environment\": {},\n      \"files_limit\": 64,\n      \"memory_limit\": -1,\n      \"network\": false,\n      \"packages\": [\n        \"nixpkgs#cowsay\",\n        \"nixpkgs/nixos-25.05#busybox\"\n      ],\n      \"process_limit\": 64,\n      \"skip_shell\": false,\n      \"stdin\": \"string\",\n      \"time_limit\": 5000\n    }\n  ]\n}\n\n// Response Body\n[\n  {\n    \"time\": 4,\n    \"wall_time\": 14,\n    \"memory\": 500,\n    \"status\": \"OK\",\n    \"message\": \"Executed\",\n    \"exit_code\": 0,\n    \"stdout\": \"Hello World\",\n    \"stderr\": \"\"\n  }\n]\n```\n\nHere are the status codes the result can have:\n\n- `OK`: no errors\n- `RE`: run-time error, i.e., exited with a non-zero exit code\n- `SG`: program died on a signal\n- `TO`: timed out\n- `XX`: internal error of the sandbox\n- `OE`: buffer limit exceeded for stdout/stderr\n- `CE`: compile error (only when executing engines)\n\n## Security\n\nAs both localbox and piston use isolate, they both make use of Linux namespaces, chroot, multiple unprivileged users, and cgroup for sandboxing and resource limiting; thereby providing [similar battle-tested security](https://github.com/engineer-man/piston/tree/master?tab=readme-ov-file#security).\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthecomputerm%2Flocalbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthecomputerm%2Flocalbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthecomputerm%2Flocalbox/lists"}