Yeah for sure: run it inside a virtual machine, or do some sort of docker magic.
You kind of need to pretend you are a whole computer for a programming language to be happy. There's built in assumptions they're running on a "real" computer. They assume they've got full access to network and disk. Installing packages often requires compiling C extensions, or running native binaries. All that stuff means the best way to sandbox is to virtualise a whole computer.
It's fun to do it with WebAssembly though, you get a lot of guarantees and it's quite light weight.
Yeah for sure: run it inside a virtual machine, or do some sort of docker magic.
You kind of need to pretend you are a whole computer for a programming language to be happy. There's built in assumptions they're running on a "real" computer. They assume they've got full access to network and disk. Installing packages often requires compiling C extensions, or running native binaries. All that stuff means the best way to sandbox is to virtualise a whole computer.
It's fun to do it with WebAssembly though, you get a lot of guarantees and it's quite light weight.