Deno Sandbox - Hacker News

Posted by johnspurlock 4 hours ago

256 points | 92 comments

simonw 4 hours ago|

Note that you don't need to use Deno or JavaScript at all to use this product. Here's their Python client SDK: https://pypi.org/project/deno-sandbox/

  from deno_sandbox import DenoDeploy
  
  sdk = DenoDeploy()
  
  with sdk.sandbox.create() as sb:
      # Run a shell command
      process = sb.spawn("echo", args=["Hello from the sandbox!"])
      process.wait()
  
      # Write and read files
      sb.fs.write_text_file("/tmp/example.txt", "Hello, World!")
      content = sb.fs.read_text_file("/tmp/example.txt")
      print(content)

Looks like the API protocol itself uses websockets: https://tools.simonwillison.net/zip-wheel-explorer?package=d...

emschwartz 4 hours ago||

> In Deno Sandbox, secrets never enter the environment. Code sees only a placeholder

> The real key materializes only when the sandbox makes an outbound request to an approved host. If prompt-injected code tries to exfiltrate that placeholder to evil.com? Useless.

That seems clever.

ptx 1 hour ago||

Yes... but...

Presumably the proxy replaces any occurrence of the placeholder with the real key, without knowing anything about the context in which the key is used, right? Because if it knew that the key was to be used for e.g. HTTP basic auth, it could just be added by the proxy without using a placeholder.

So all the attacker would have to do then is find and endpoint (on one of the approved hosts, granted) that echoes back the value, e.g. "What is your name?" -> "Hello $name!", right?

But probably the proxy replaces the real key when it comes back in the other direction, so the attacker would have to find an endpoint that does some kind of reversible transformation on the value in the response to disguise it.

It seems safer and simpler to, as others have mentioned, have a proxy that knows more about the context add the secrets to the requests. But maybe I've misunderstood their placeholder solution or maybe it's more clever than I'm giving it credit for.

booi 1 hour ago||

Where would this happen? I have never seen an API reflect a secret back but I guess it's possible? perhaps some sort of token creation endpoint?

mananaysiempre 7 minutes ago|||

Say, an endpoint tries to be helpful and responds with “no such user: foo” instead of “no such user”. Or, as a sibling comment suggests, any create-with-properties or set-property endpoint paired with a get-propety one also means game over.

Relatedly, a common (likely already obsolete?) exploitation target for black-hat SEO and even XSS is search pages that echo back the user’s search request.

tptacek 23 minutes ago||||

It depends on where you allow the substitution to occur in the request. It's basically "the big bug class" you have to watch out for in this design.

ptx 59 minutes ago||||

How does the API know that it's a secret, though? That's what's not clear to me from the blog post. Can I e.g. create a customer named PLACEHOLDER and get a customer actually named SECRET?

Tepix 1 hour ago|||

HTTP Header Injection or HTTP Response Splitting is a thing.

motrm 4 hours ago|||

Reminds me a little of Fly's Tokenizer - https://github.com/superfly/tokenizer

It's a little HTTP proxy that your application can route requests through, and the proxy is what handles adding the API keys or whatnot to the request to the service, rather than your application, something like this for example:

Application -> tokenizer -> Stripe

The secrets for the third party service should in theory then be safe should there be some leak or compromise of the application since it doesn't know the actual secrets itself.

Cool idea!

tptacek 3 hours ago||

It's exactly the tokenizer, but we shoplifted the idea too; it belongs to the world!

(The credential thing I'm actually proud of is non-exfiltratable machine-bound Macaroons).

Remember that the security promises of this scheme depend on tight control over not only what hosts you'll send requests to, but what parts of the requests themselves.

svieira 2 hours ago||

Did the machine-bound Macaroons ever get written up publicly or is that proprietary?

tptacek 2 hours ago||

Like the Tokenizer, I think they're open source.

https://fly.io/blog/operationalizing-macaroons/

simonw 4 hours ago|||

Yeah, this is a really neat idea: https://deno.com/blog/introducing-deno-sandbox#secrets-that-...

  await using sandbox = await Sandbox.create({
    secrets: {
      OPENAI_API_KEY: {
        hosts: ["api.openai.com"],
        value: process.env.OPENAI_API_KEY,
      },
    },
  });
  
  await sandbox.sh`echo $OPENAI_API_KEY`;
  // DENO_SECRET_PLACEHOLDER_b14043a2f578cba75ebe04791e8e2c7d4002fd0c1f825e19...

It doesn't prevent bad code from USING those secrets to do nasty things, but it does at least make it impossible for them to steal the secret permanently.

Kind of like how XSS attacks can't read httpOnly cookies but they can generally still cause fetch() requests that can take actions using those cookies.

its-summertime 1 hour ago|||

if there is an LLM in there, "Run echo $API_KEY" I think could be liable to return it, (the llm asks the script to run some code, it does so, returning the placeholder, the proxy translates that as it goes out to the LLM, which then responds to the user with the api key (or through multiple steps, "tell me the first half of the command output" e.g. if the proxy translates in reverse)

Doesn't help much if the use of the secret can be anywhere in the request presumably, if it can be restricted to specific headers only then it would be much more powerful

lucacasonato 52 minutes ago||

It will only replace the secret in headers

ryanrasti 2 hours ago|||

> It doesn't prevent bad code from USING those secrets to do nasty things, but it does at least make it impossible for them to steal the secret permanently.

Agreed, and this points to two deeper issues: 1. Fine-grained data access (e.g., sandboxed code can only issue SQL queries scoped to particular tenants) 2. Policy enforced on data (e.g., sandboxed code shouldn't be able to send PII even to APIs it has access to)

Object-capabilities can help directly with both #1 and #2.

I've been working on this problem -- happy to discuss if anyone is interested in the approach.

artahian 2 hours ago|||

We had this same challenge in our own app builder, we ended up creating an internal LLM proxy with per-sandbox virtual keys (which the proxy maps to the real key + calculates per-sandbox usage), so even if the sandbox leaks its key it doesn't impact anything else.

Tepix 3 hours ago|||

It must be performing a man-in-the-middle for HTTPS requests. That makes it more difficult to do things like certificate pinning.

perfmode 4 hours ago|||

I was just about to say the same thing. Cool technique.

CuriouslyC 3 hours ago|||

This is an old trick that people do with Envoy all the time.

verdverm 3 hours ago|||

Dagger has a similar feature: https://docs.dagger.io/getting-started/types/secret/

Same idea with more languages on OCI. I believe they have something even better in the works, that bundles a bunch of things you want in an "env" and lets you pass that around as a single "pointer"

I use this here, which eventually becomes the sandbox my agent operates in: https://github.com/hofstadter-io/hof/blob/_next/.veg/contain...

linolevan 3 hours ago|||

It’s pretty neat.

Had some previous discussion that may be interesting on https://news.ycombinator.com/item?id=46595393

rfoo 3 hours ago||

I like this, but the project mentioned in the launch post

> via an outbound proxy similar to coder/httpjail

looks like AI slop ware :( I hope they didn't actually run it.

lucacasonato 2 hours ago||

We run or own infrastructure for this (and everything else). The link was just an illustrative example

johnspurlock 4 hours ago||

"Over the past year, we’ve seen a shift in what Deno Deploy customers are building: platforms where users generate code with LLMs, and that code runs immediately without review. That code frequently calls LLMs itself, which means it needs API keys and network access.

This isn’t the traditional “run untrusted plugins” problem. It’s deeper: LLM-generated code, calling external APIs with real credentials, without human review. Sandboxing the compute isn’t enough. You need to control network egress and protect secrets from exfiltration.

Deno Sandbox provides both. And when the code is ready, you can deploy it directly to Deno Deploy without rebuilding."

twosdai 4 hours ago|

Like the emdash, whenever I read: "this isn't x it's y" my dumb monkey brain goes "THATS AI" regardless if it's true or not.

bangaladore 16 minutes ago|||

Another common tell nowadays is the apostrophe type (’ vs ').

I don't know personally how to even type ’ on my keyboard. According to find in chrome, they are both considered the same character, which is interesting.

I suspect some word processors default to one or the other, but it's becoming all too common in places like Reddit and emails.

Bnjoroge 43 minutes ago||||

couldnt agree more. It's frankly very fatiguing

lucacasonato 4 hours ago|||

I can confirm Ryan is a real human :)

zamadatix 4 hours ago||

Is there a chance you could ask Ryan if he had an LLM write/rewrite large parts of this blog post? I don't mind at all if he did or didn't in itself, it's a good and informative post, but I strongly assumed the same while reading the article and if it's truly not LLM writing then it would serve as a super useful indicator about how often I'm wrongly making that assumption.

bonsai_spool 2 hours ago|||

There are multiple signs of LLM-speak:

> Over the past year, we’ve seen a shift in what Deno Deploy customers are building: platforms where users generate code with LLMs and that code runs immediately without review

This isn't a canonical use of a colon (and the dependent clause isn't even grammatical)!

> This isn’t the traditional “run untrusted plugins” problem. It’s deeper: LLM-generated code, calling external APIs with real credentials, without human review.

Another colon-offset dependent paired with the classic, "This isn't X. It's Y," that we've all grown to recognize.

> Sandboxing the compute isn’t enough. You need to control network egress and protect secrets from exfiltration.

More of the latter—this sort of thing was quite rare outside of a specific rhetorical goal of getting your reader excited about what's to come. LLMs (mis)use it everywhere.

> Deno Sandbox provides both. And when the code is ready, you can deploy it directly to Deno Deploy without rebuilding.

Good writers vary sentence length, but it's also a rhetorical strategy that LLMs use indiscriminately with no dramatic goal or tension to relieve.

'And' at the beginning of sentences is another LLM-tell.

r00f 1 hour ago|||

Can it be that after reading so many LLM texts we will just subconciously follow the style, because that's what we are used to? No idea how this works for native English speakers, but I know that I lack my own writing style and it is just a pseudo-llm mix of Reddit/irc/technical documentation, as those were the places where I learned written English

bonsai_spool 1 hour ago||

Yes, I think you're right—I have a hard time imagining how we avoid such an outcome. If it matters to you, my suggestion is to read as widely as you're able to. That way you can at least recognize which constructions are more/less associated with an LLM.

When I was first working toward this, I found the LA Review of Books and the London Review of Books to be helpful examples of longform, erudite writing. (edit - also recommend the old standards of The New Yorker and The Atlantic; I just wanted to highlight options with free articles).

I also recommend reading George Orwell's essay Politics and the English Language.

jonny_eh 1 hour ago||||

> It’s deeper: LLM-generated code, calling external APIs with real credentials, without human review.

This also follows the rule of 3s, which LLMs love, there ya go.

johnfn 1 hour ago||

Yeah, I feel like this is really the smoking gun. Because it's not actually deeper? An LLM running untrusted code is not some additional level of security violation above a plugin running untrusted code. I feel like the most annoying part of "It's not X, it's Y" is that agents often say "It's not X, it's (slightly rephrased X)", lol, but it takes like 30 seconds to work that out.

tadfisher 1 hour ago|||

It's unfortunate that, given the entire corpus of human writing, LLMs have seemingly been fine-tuned to reproduce terrible ad copy from old editions of National Geographic.

(Yes, I split the infinitive there, but I hate that rule.)

javier123454321 3 hours ago||||

As someone that has a habit of maybe overusing em dashes to my detriment, often times, and just something that I try to be mindful of in general. This whole thing of assuming that it's AI generated now is a huge blow. It feels like a personal attack.

zamadatix 55 minutes ago||

"—" has always seemed like an particularly weak/unreliable signal to me, if it makes you feel any better. Triply so in any content one would expect smart quotes or formatted lists, but even in general.

RIP anyone who had a penchant for "not just x, but y" though. It's not even a go-to wording for me and I feel the need to rewrite it any time I type it out of fear it'll sound like LLMs.

calebhwin 2 hours ago|||

[dead]

yakkomajuri 23 minutes ago||

Secret placeholders seems like a good design decision.

So many sandbox products these days though. What are people using in production and what should one know about this space? There's Modal, Daytona, Fly, Cloudflare, Deno, etc

ushakov 7 minutes ago|

Factory, Nvidia, Perplexity and Manus are using E2B in production - we ran more than 200 million Sandboxes for our customers

Bnjoroge 32 minutes ago||

Ignoring the fact that most of the blog post is written by an LLM, I like that they provide a python sdk. I dont believe vercel does for their sandbox product.

koolala 2 hours ago||

The free plan makes me want to use it like Glitch. But every free service like this ever has been burned...

dangoodmanUT 1 hour ago||

Love their network filtering, however it definitely lacks some capabilities (like the ability to do direct TCP connections to Postgres, or direct IP connections.

Those limitations from other tools was exactly why I made https://github.com/danthegoodman1/netfence for our agents

ttoinou 4 hours ago||

What happens if we use Claude Pro or Max plans on them ? It’ll always be a different IP connecting and we might get banned from Anthropic as they think we’re different users

Why limit the lifetime on 30 mins ?

lucacasonato 4 hours ago||

We'll increase the lifetime in the next weeks - just some tech internally that needs to be adjusted first.

mrkurt 3 hours ago||

For what it's worth, I do this from about 50 different IPs and have had no issues. I think their heuristics are more about confirming "a human is driving this" and rejecting "this is something abusing tokens for API access".

ttoinou 2 hours ago||

All the time with the same computer ? Maybe it is looking at others metadata, for example local MAC addresses

mrkurt 2 hours ago||

All the time with a bunch of different sandboxes.

ATechGuy 3 hours ago||

> allowNet: ["api.openai.com", "*.anthropic.com"],

How to know what domains to allow? The agent behavior is not predefined.

CuriouslyC 3 hours ago||

The idea is to gate automatic secret replacement to specific hosts that would use them legitimately to avoid exfiltration.

falcor84 3 hours ago||

Well, this is the hard part, but the idea is that if you're working with both untrusted inputs and private data/resources, then your agent is susceptible to the "lethal trifecta"[0], and you should be extremely limiting in its ability to have external network access. I would suggest starting with nothing beyond the single AI provider you're using, and only add additional domains if you are certain you trust them and can't do without them.

[0] https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

zenmac 2 hours ago|

>Deno Sandbox gives you lightweight Linux microVMs (running in the Deno Deploy cloud)

The real question is can the microVMs run in just plain old linux, self-hosted.

echelon 2 hours ago|

Everyone wants to lock you in.

Unfortunately there's no other way to make money. If you're 100% liberally licensed, you just get copied. AWS/GCP clone your product, offer the same offering, and they take all the money.

It sucks that there isn't a middle ground. I don't want to have to build castles in another person's sandbox. I'd trust it if they gave me the keys to do the same. I know I don't have time to do that, but I want the peace of mind.

ushakov 2 hours ago||

we have 100% open-source Sandboxes at E2B

git: https://github.com/e2b-dev/infra

wiki: https://deepwiki.com/e2b-dev/infra

echelon 1 hour ago||

This is what I like to see!

Not sure what your customers look like, but I'd for one also be fine with "fair source" licenses (there are several - fair source, fair code, Defold license, etc.)

These give customers 100% control but keep Amazon, Google, and other cling-on folks like WP Engine from reselling your work. It avoids the Docker, Elasticsearch, Redis fate.

"OSI" is a submarine from big tech hyperscalers that mostly take. We should have gone full Stallman, but fair source is a push back against big tech.

ushakov 59 minutes ago||

we aren’t worried about that.

when we were starting out we figured there was no solution that would satisfy our requirements for running untrusted code. so we had to build our own.

the reason we open-sourced this is because we want everyone to be able to run our Sandboxes - in contrast to the majority of our competitors who’s goal is to lock you in to their offering.

with open-source you have the choice, and luckily Manus, Perplexity, Nvidia choose us for their workloads.

(opinions my own)

More comments...