PySandbox
-------

*Unstable*

PySandbox is a backend for untrusted python sources. It is based on CPython's bytecode format and containers. It works step by step through the pipeline of pysandbox. 

Client > Purifier > PySandbox > Executor > NameKeeper > Container

Client
------
Sends untrusted python code as a raw string. E.g;

print(2 + 2)

Purifier
--------
Checks for any potential threats in code. Raises Insecure exception if sees any.

PySandbox
-------
Responsible for managing containers and sending data to them. Takes user code that is checked from Purifier. Compiles it to bytecode, marshals it and encodes it before shipping it via JSON. Starts container in every action of running command.

Uses container caching by giving id values to every container it started. If given id not found in instances; it will start new and after it is done with it, it will pause instead of kill. `quit` method should be called before exitting.

The preffered encoding is base64.
PySandbox uses ports in a range of 1765 to nth container running same time

Executor
--------
An HTTP service that takes base64 encoded python bytecode. It executes bytecode in a listened environment. Routes standard out and error file descriptors to a buffer and returns it as a json format. That listened environment provided by NameKeeper.

Request: {'code': '<b64encoded-bytecode>'}
Response (200): {'result': {'out': '<stdout>', 'err': '<stderr'}}
Response (400): {'result': 'FAIL'}
Response (500): {'result': 'FAIL'}

NameKeeper
----------
Namekeeper is a standalone context manager for forbidding builtin function, patching type attributes etc. It forbids eval/compile/exec/open/input/ and patches import. Also it removes some members of types. 

Container
---------
A python:<python-version>-alpine image that contains executor