Code execution in Docker Container

[nautics889]

This thread supposed to be about containerization PandasAI. I've decided it's better to create the one here, on discussion board, before opening an according issue. Since there are several moments that should rather be discussed at first.

---

This feature has been already mentioned at least once at #550 as a security mechanism for preventing from RCE attacks.

---

From my point of view, there can be two option in design we can choose to implement this:

1. Full dockerization of the library. This option seems easier to implement at first glance. Basically the point is to make an appropriate dockerfile which can be used by the end user. However i wouldn't say i have an understanding how convenient this would be for the user when, for example, using PandasAI via CLI or even when integrating the library to custom scripts. Also some issues can appear when mounting volumes to provide context for PandasAI.
2. Dockerize on demand, i. e. run docker container for the code execution only. Essentially, in total we have 2 places can be treated potentially vurnelable: invokation of exec() and calling of analyze_data(), both of them invoke instructions can be force-modified by attacker-user. So, the idea of this way is to implement running instructions for those cases in Docker container when user passes (for example) run_in_docker=True. We can dump analyze_data() into a file, mount it to the container, e. g., and then execute python analyze_data.py. There also a few drawbacks, although. Like, as for now i haven't got any idea how to fetch the result of running analyze_data() and prevent further vulnerabilities (when working with the result object). As well as provide a context dictionary for exec() inside a container.

[nautics889]

@gventuri here is a draft topic about containerization i've created in haste.
I'd be glad if you take a look when you have time, but definitely there are lots of points to be discussed.
Looking forward for your comments!

[gventuri]

Hi @nautics889, thanks a lot for bringing the attention to the point.

My idea is the following:

• we keep offering the library as it is for non-production tasks. The real problem could be prompt injection, but I don't think a user would try to jailbreak PandasAI on their own environment to harm their system.
• add a smooth and conveniente way for users to dockerize the library for production use-cases. It's also true that most of the production systems either run on lambdas or on dockerized instances

What do you think?

[nautics889]

@gventuri thanks a lot for your response!
Indeed, the more i thought about how to implement containerization, the less i was sure that the library needs this.
But as for:

add a smooth and conveniente way for users to dockerize the library for production use-cases

sounds as a really useful improvement, totally agree with this!

[nautics889]

Partially resolved ✅