Prevent imports of unauthorized classes in Scala

Question

I'm working on an online environment that will allow users to execute custom Scala code (think of it like continuous integration). However, I want to prevent them from doing certain things, most notably file I/O and network calls. I will allow limited forms of these functions with a library that I will expose.

The naive approach would be to simply replace /^import.*$/ with the empty string. However, there are plenty of ways for nefarious folks to get around that, with classloaders and such. I want the users to only have access to a preselected "whitelist" of imports rather than having to rely on a (possibly incomplete) blacklist.

I still haven't decided whether I'm going to call scalac on the underlying OS with their files, or whether to use IMain to interpret the text. Obviously if one method makes my desired result feasible, I'll go with that one. Bonus points if your answer includes ways to

How can I effectively sandbox my users' code?

Answer 1

There are two different issues: compile-time and run-time sandboxing.

Runtime sandboxing can be accomplished by using Java Security and classloader restrictions - see e.g. How do I create a Java sandbox? and, more cautionary, Can I trust Java SecurityManager sandbox?. There's a lot more out there on this topic!

For Scala compile-time sandboxing, I have to defer. However, I wonder whether you need it. If the only people who try to use forbidden API's are those who are trying to break into your system, there's no reason to make their job easier by providing compile-time checking.