safe console inside a shiny application

Question

I am currently developing shiny applications that aim to teach R via interactive courses. For that purpose, I have already worked with multiple-choice questions and free-text questions. Now I want to tackle questions where the users of the app (students) can enter their own R code in a text field and run it.

My current implementation basically uses eval inside an observer.

## evaluate the users expression and store the results.
observeEvent(input$evluate, {
  reactives$result <- eval(parse(text = input$console_in))
})

This implementation has serious drawbacks when it comes to security since users can insert and run arbitrary codes on the server.

• What are the best practices to make the console safer?
• How should the working directory be specified during the evaluation?

It is planned to release an open-source version of this software at some point. Therefore, I would prefer a solution which is not platform dependent and which doesn't complicate the deployment of the application.

Answer 1

For evaluating arbitrary code, I like the whitelisting approach where you put all known and safe functions in an empty environment to be evaluated in. I think that's the simple and easy solution vs. blacklisting functions or trying to sandbox outside of R. Here's a much better answer with examples: Safely evaluating arithmetic expressions in R?

Alternatively, here's a POC package that takes a blacklisting approach: https://github.com/Rapporter/sandboxR

All other sandboxing methods I can think of are Linux specific. There's https://github.com/jeroen/RAppArmor which uses AppArmor to sandbox at the OS level. And then using Docker or Linux containers to run sandboxed code.