Can Kotlin be sandboxed?


#1

Can I use Kotlin to allow users to develop plugins for my app but give them sandboxed access? As in not allow them to use certain APIs like filesystem API so that they can walk the server or read files they shouldn’t etc…

So basically to create a sandbox where they would have access only to the API that is exposed to them and not them being able to import everything they want.


#2

That’s not a Kotlin specific feature. You’d use the JVM sandboxing architecture to do that.


#3

Can you point me into the right direction to know what exactly to look for?


#4

Java.lang.SecurityManager is the JDK sabdboxing mechanism. See this tutorial for more info https://docs.oracle.com/javase/7/docs/technotes/guides/security/spec/security-spec.doc1.html


#5

Thank you.


#6

Be aware that constructing secure, safe sandboxes with the JVM APIs is tricky. It can be done and the JVM provides everything you need, but there’s a lot of different ways to do it and a lot of different ways to screw it up.

You can take a look at this library for ideas: