Skip to main content

Secure Python code execution sandbox for LLM-generated code

Project description

LLM Python Sandbox

License: MIT Python 3.9+ Code Style: Black

A secure, multi-layered Python sandbox designed for executing code generated by Large Language Models (LLMs). It provides robust isolation mechanisms to ensure safe execution of untrusted code.

🚀 Features

  • 🔒 Multi-layered Security:

    • AST Validation: Blocks dangerous constructs (e.g., top-level code, eval, exec) before execution.
    • Import Whitelisting: Strictly controls which modules can be imported.
    • Restricted Builtins: Removes access to dangerous built-ins like open, input, etc.
  • 🛡️ Process Isolation:

    • Subprocess Mode: Executes code in a separate process for maximum isolation.
    • Resource Limits: Enforces memory usage and CPU time limits (on supported systems).
    • Wall-clock Timeouts: Prevents infinite loops and hanging processes.
  • 🐼 Data Science Ready:

    • Optimized for pandas DataFrame operations.
    • Supports passing DataFrames in and out of the sandbox.
  • 🔌 Flexible Execution Modes:

    • safe_context: Lightweight in-process isolation (faster, for trusted code).
    • subprocess_sandbox: Full process isolation (safer, for untrusted code).

📦 Installation

This project is configured as a Python package. You can install it using pip:

# Clone the repository
git clone https://github.com/yourusername/llm-python-sandbox.git
cd llm-python-sandbox

# Install in editable mode
pip install -e .

# Install development dependencies
pip install -e ".[dev]"

🛠️ Usage

Basic Execution

The CodeExecutor provides a high-level API for running code.

from src.executor import CodeExecutor

executor = CodeExecutor()

# Execute simple code
code = """
def greet(name):
    return f"Hello, {name}!"
"""

result = executor.execute_code(
    code=code,
    input_variables={"name": "World"},
    verification_code="assert result == 'Hello, World!'",
    execution_mode="subprocess_sandbox"
)

print(result["stdout"])
# Output: Hello, World!

Working with DataFrames

The sandbox is designed to handle data transformations safely.

import pandas as pd
from src.executor import CodeExecutor

executor = CodeExecutor()

# Input DataFrame
df = pd.DataFrame({"value": [1, 2, 3, 4, 5]})

# Code to execute
code = """
import pandas as pd

def transform_data(df):
    df['doubled'] = df['value'] * 2
    return df
"""

result = executor.execute_code(
    code=code,
    input_variables={"df": df},
    return_variables=["transform_data"], # Capture return value
    execution_mode="subprocess_sandbox"
)

# Access returned data
processed_df = result["returned_values"]["transform_data"]
print(processed_df)

Execution Modes

Mode Description Security Level Performance Use Case
default Standard exec() 🔴 Low ⚡ Very High Trusted, local scripts only
safe_context In-process sandbox 🟡 Medium 🚀 High Trusted LLMs, internal tools
subprocess_sandbox Separate process 🟢 High 🐢 Medium Untrusted LLM code, public APIs

🏗️ Architecture

The project consists of several core components:

  • CodeExecutor: The main entry point that orchestrates execution.
  • SubprocessSandbox: Handles process lifecycle, resource limits, and IPC.
  • SafeFunctionContext: Manages the in-process execution environment.
  • ASTValidator: Statically analyzes code structure to reject unsafe patterns.
  • SafeImporter: Intercepts imports to enforce the whitelist.

🔒 Security Model

The sandbox uses a "defense in depth" strategy:

  1. Static Analysis: Code is first parsed into an AST. If it contains forbidden nodes (e.g., exec, eval) or disallowed top-level statements, it is rejected immediately.
  2. Runtime Restrictions: The execution environment has a stripped-down __builtins__ dictionary.
  3. Import Control: A custom __import__ hook verifies strictly against an allowlist (default: math, json, pandas, numpy, etc.).
  4. Process Isolation: Using the subprocess mode adds OS-level isolation, protecting the main application from crashes and memory exhaustion.

⚠️ Note: While robust, no sandbox is 100% impenetrable. Always run untrusted code in a highly restricted environment (e.g., Docker container, gVisor) in production.

🤝 Contributing

Contributions are welcome! Please follow these steps:

  1. install dev dependencies: pip install -e ".[dev]"
  2. Run tests: pytest
  3. Format code: black .
  4. Submit a Pull Request.

📄 License

MIT License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

llm_python_sandbox-0.1.0.tar.gz (19.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

llm_python_sandbox-0.1.0-py3-none-any.whl (15.4 kB view details)

Uploaded Python 3

File details

Details for the file llm_python_sandbox-0.1.0.tar.gz.

File metadata

  • Download URL: llm_python_sandbox-0.1.0.tar.gz
  • Upload date:
  • Size: 19.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for llm_python_sandbox-0.1.0.tar.gz
Algorithm Hash digest
SHA256 527c9a4417db9a21f95d7d315bee7b8076b834f3667bc87a65632c731af5697f
MD5 e2a3a4c1b24f67e6ae9a420d05d0f9f2
BLAKE2b-256 b743104ddacecc816b3684695746cd7ef32c58bc34ca479ba4ab4cbc5a71302c

See more details on using hashes here.

Provenance

The following attestation bundles were made for llm_python_sandbox-0.1.0.tar.gz:

Publisher: publish.yml on binzhango/llm_python_sandbox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file llm_python_sandbox-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for llm_python_sandbox-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6141d82481e8937964b95fec37c2555467faf596e7159f02157e89979071d08b
MD5 ed64d636f6e1675c81d883ed56dfc730
BLAKE2b-256 a8604e67a0368649bd8900a280479da79de633477273d5c9b08aecd6c86fe7f5

See more details on using hashes here.

Provenance

The following attestation bundles were made for llm_python_sandbox-0.1.0-py3-none-any.whl:

Publisher: publish.yml on binzhango/llm_python_sandbox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page