My attempt to write a sandboxing library for clojure to allow secure execution of untrusted code
Latest commit e73433e Apr 2, 2011 Dave Byrne Fixed warnings using Clojure 1.2.x
Failed to load latest commit information.



In Clojure 1.2 the :initial feature isn’t working at the moment!!!
h1. clj-sandbox

Why clj-sandbox?

Well the short story is, because it is cool. There are so many things you can do when sandboxing code is dead simple. That is what I hope clj-sandbox will do, allow clojure code to add sandboxing with less then 5 lines of code.

Of cause that is a idealistic view, to really customize the sandbox you might need 10 lines ;).

Long story? I need sandboxing for a project, and on #clojure hiredman, bsteuber and me got in a talk how nice it would be to have a simple sandbox library. So the next day I decided that I take it upon me to make it reality ;). Truth be told, hiredman did a very good job for clojurebot, I lot of code and ideas were pioneered by him :)


1) create a .java.policy file to grant your code rights.

Simple example

In your code this will give you a very simple sandbox without jvm sandboxing:

  (use 'net.licenser.sandbox)
  (def my-sandbox (stringify-sandbox (new-sandbox)))
  (my-sandbox "(+ 1 1)")

More advanced example

If you want more security and posibilties

  (use 'net.licenser.sandbox)
  (def sc (stringify-sandbox (new-sandbox-compiler)))
  (def my-really-secure-add (sc "(+ a b)" 'a 'b))
  (my-really-secure-add {} 23 19) ;=> 42

Real world examples.

What better example as what people actually do with the code?

  1. Of cause EPIC uses clj-sandbox to run user scripts
  2. defn’s walton tool uses clj-sandbox to get better answers for your questions.
  3. Raynes’s IRC-bot sexpbot uses clj-sandbox too let users evaluate and test code in the IRC.
  4. clicki, a crazy wiki that lets user define the entire webside (code and everything) within itself.

See even now there are very varity usages for a sandbox and I hope there will be many more.


Add the following to your project.clj in leiningen:

[clj-sandbox “0.3”]


Copyright © 2009 Heinz N. Gies and Anthony Simpson.

This code is published under the EPL, have fun! See LICENSE.html for the booring stuff.


Thanks to hiredman from #clojure for the patience with my question and the
code for the JVM jail :).
Also thanks to Raynes from #clojure for using and testing the library, spotting
evilish bugs, proofreading the comments and some improvements :D!