I'm interested to learn about their sandboxing. They allow a lot of user-submitted code to run server side. How do they sandbox this? What level of isolation do they use?
- If language-runtime patches, then there are escapes likely.
- If chroot, then there are escapes.
- If linux namespaces, then there are escapes.
- If ...
I used to work there, not sure if things changed (we've given talks and written about it in the past): Language-runtime patches + user permissions (setuid) + rlimit + Linux containers + runner boxes have no access to web server , db server etc, so even if you root, nothing much to do.
They still return code that runs javascript in the main codecademy domain, so you could potentially modify the servers to return tainted data to steal cookies and whatnot.
They don't return code that run JavaScript. All code is executed on the server and only a string of the result is returned. For web courses, evaluation is done client-side and is properly sandbox. See [1] to learn more about the client-side sandboxing.
