Using go-playground for an exam
578 views
Skip to first unread message
Joonatan Saarhelo
May 24, 2016, 2:30:48 PM5/24/16
to golan...@googlegroups.com
Hi,
I am holding an exam for a programming course that involves solving programming problems. I'd like to make requests to the Go playground to compile and run the student's submissions so they immediately know whether they get points. Is this acceptable use of the playground? If yes, please give me a link that explains how the request has to be structured.
Joonatan Saarhelo
kennyl...@gmail.com
May 24, 2016, 5:59:32 PM5/24/16
to golang-dev
You could serve the playground locally if you suspect to flood it with unreasonable amounts of requests. It's part of godoc.
For the playground implementation, see golang.org/x/tools/playground. For godoc itself (not godoc.org), see golang.org/x/tools/cmd/godoc.
The playground is a websocket API thing, but look around in the linked repos for the details.
Regards,
Kenny
For the playground implementation, see golang.org/x/tools/playground. For godoc itself (not godoc.org), see golang.org/x/tools/cmd/godoc.
The playground is a websocket API thing, but look around in the linked repos for the details.
Regards,
Kenny
Jonathan
May 25, 2016, 11:52:00 AM5/25/16
to golang-dev, kennyl...@gmail.com
If you run the playground locally, does that still pose a security problem? In the past, I remember it ran with local user permissions. So, serving it up to people could allow malicious attacks on anything the local user can access.
Would it be more secure to run the playground via a local appengine instance? Or is there a better way to sandbox it?
Andrew Gerrand
May 25, 2016, 5:00:47 PM5/25/16
to Jonathan, Dan Kortschak, golang-dev, kennyl...@gmail.com
It is possible to build a tool chain that uses NaCl and run that locally. You can enable this with the 'present' tool using the -nacl flag. I've cc'd Dan Kortschak who has some experience doing this.
You're also welcome to use the endpoint at https://golang.org/compile. The best way to see how this works is to use the chrome network inspector to see how the requests are formed.
Andrew
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ma...@influxdb.com
May 25, 2016, 5:07:28 PM5/25/16
to golang-dev, joon...@gmail.com
You might be able to get by with the GopherJS playground, which runs completely in the browser AFAICT.
Joonatan Saarhelo
May 25, 2016, 5:21:09 PM5/25/16
to ma...@influxdb.com, golang-dev
I ended up hosting the Go compiler along with my server. No security measures whatsoever, but they are not really needed as the students won't know how to take over the server.
I might add whitelisting imports and make a library out of my code, because I first tried using https://github.com/zond/gosafe, but it just crashed. I looked at the source code, and it was pretty terrifying. This is my code ATM: https://github.com/joonazan/go-opas/blob/master/palvelin/runner.go
Dan Kortschak
May 25, 2016, 8:05:13 PM5/25/16
to Andrew Gerrand, Jonathan, golang-dev, kennyl...@gmail.com
There's not much to it. It works and I've had an instance running for
the past 3 years with no problems (it's fun seeing people trying to poke
it for php vulnerabilities - adg, maybe logging IPs of failed accesses
like this would be worthwhile. Should I file an issue?)
the past 3 years with no problems (it's fun seeing people trying to poke
it for php vulnerabilities - adg, maybe logging IPs of failed accesses
like this would be worthwhile. Should I file an issue?)
Dan Kortschak
May 25, 2016, 8:17:28 PM5/25/16
to Andrew Gerrand, Jonathan, golang-dev, kennyl...@gmail.com
On Thu, 2016-05-26 at 09:35 +0930, Dan Kortschak wrote:
> There's not much to it.
For completeness. The instance I have running is started via:
> There's not much to it.
present -nacl -base base -http :80 -orighost server.domain.edu 2>>present.log
You can leave out the -base flag, but I have modified pages that cover
our educational copyright exemption notices and so on. The present
executable has capability changes to get access to port 80 using setcap:
sudo setcap cap_net_bind_service=ep ~/bin/present
Dan Kortschak
Jun 2, 2016, 8:16:43 PM6/2/16
to Joonatan Saarhelo, ma...@influxdb.com, golang-dev
On Thu, 2016-05-26 at 00:21 +0300, Joonatan Saarhelo wrote:
> I ended up hosting the Go compiler along with my server. No security
> measures whatsoever, but they are not really needed as the students
> won't
> know how to take over the server.
>
> I might add whitelisting imports and make a library out of my code,
> because
> I first tried using https://github.com/zond/gosafe, but it just
> crashed. I
> looked at the source code, and it was pretty terrifying. This is my
> code
> ATM:
> https://github.com/joonazan/go-opas/blob/master/palvelin/runner.go
>
I'd see gosafe as a concept piece rather than something to actually use
> I ended up hosting the Go compiler along with my server. No security
> measures whatsoever, but they are not really needed as the students
> won't
> know how to take over the server.
>
> I might add whitelisting imports and make a library out of my code,
> because
> I first tried using https://github.com/zond/gosafe, but it just
> crashed. I
> looked at the source code, and it was pretty terrifying. This is my
> code
> ATM:
> https://github.com/joonazan/go-opas/blob/master/palvelin/runner.go
>
- note issue #1 and that GOMAXPROCS will probably be >1 unless care is
taken.
I would suggest using either a present slide or the tour with authored
article files, and running with nacl (it seems the tour doesn't support
nacl, but the changes are trivial so a CL might be worthwhile).
Reply all
Reply to author
Forward
0 new messages