Original post

Hello all. I am familiar with most of and have programmed in other languages years before now, but oddly enough have never come across this issue before. I am stuck in a rut as follows:

I am currently developing a REST API that deals with the execution of untrusted, user supplied code on the backend. This code is uploaded and then arbitrarily executed using a VM (just a Go package) server side. Sandboxing is all taken care of, the user code only performs computation and never accesses any kind of system IO. My issue, however, is to do with potential denial of service attacks. Particularly, the event where someone uploads a script that runs infinitely. The simple counter to this is to include a timeout where, say, after 5 seconds the execution halts. I thought this would be trivial to implement but am now completely stumped at something that I thought would be trivial. Here is my current situation:

The code that executes the script (the VM) blocks while it runs, so I stuck it in its own Goroutine. Since the execution is blocking, there is no room for me to use channels as I would have no way to read or write to them. I figured the best way to work around this would be to set a timer, then kill the Goroutine running the script. This is where I am stumped. I’ve looked on every crevace of the planet and cannot find anything telling me this is possible (the VM itself has no native way to terminate execution either).

Manually implementing this functionality into the VM would work, but the library is massive and I simply don’t have enough time to take on a feat like this. Also, its super easy for me to miss something when maintaining my own fork.

Also, running the code in another process would give a performance hit in terms of startup time and drastically increase code complexity that I would much rather not have to navigate.

Any ideas to get the simple goroutine termination working? Thank you.