Dify helps users build production-ready LLM applications. Developers can add code nodes in the Workflow, building complex applications with custom processes. To make code-executing safe and efficient while safeguarding against malicious code, we've developed DifySandbox. Today, we're proud to announce that we've made it open source for greater code transparency.

Why We Built DifySandbox?

Offering a Code Execution Environment

Deeply integrated with Workflow, DifySandbox serves as the user-written code execution environment for code nodes, template transform nodes, LLM nodes, and the code Interpreter in tool nodes. As the backbone of complex workflows, DifySandbox enables structured data transformation, data concatenation, and logic processing within LLM applications.

Blocking Malicious Code

In the absence of adequate constraints, both normal business code and potentially malicious code can execute in the same environment. Malicious code may access sensitive resources, read server files, or even delete databases. DifySandbox solves this issue by creating an isolated environment for potentially malicious code while allowing normal business code to operate smoothly.

The Pitfalls of Popular Sandbox Options

Upon evaluating mainstream sandbox solutions in the field, we recognized several drawbacks:

• WebAssembly: Limited adaptability and challenges in installing third-party dependencies.

• Docker: Container-per-task approaches suffer from slow execution speeds and potential Docker hijacking risks.

• Language-specific sandbox packages: Limited to a single language, not a universal solution.

• Kernel extensions: Complex configuration, require system privileges, and pose potential security risks.

Security Mechanisms of DifySandbox

To overcome the constraints of the legacy sandbox and deliver a more secure, adaptable, and versatile code execution environment, we built DifySandbox from the ground up. We implemented isolation strategies across the operating system, file system, network, and more to enhance Dify’s security:

• System Security: Employs a whitelist policy, permits only designated system calls, and successfully prevents unintentional or malicious system call bypasses.

• File System Isolation: User code operates in a self-contained file system.

• Network Isolation: Uses an isolated sandbox network with proxy containers for network access, ensures the integrity of the intranet system, and allows flexible proxy configuration options.

• Permission Isolation: Keeps malicious code confined to the lowest possible permissions.

For more implementation specifics of DifySandbox, please refer to our blog.

Goes Open Source

The source code of DifySandbox is now available on GitHub for public access, in line with our efforts to create a more open and transparent Dify ecosystem. It offers developers several key advantages:

• Extensibility: As a Seccomp-based, system-level solution, DifySandbox currently supports Python and Node.js, with the technical capacity to embrace more languages.

• High Performance: DifySandbox's system-level architecture allows for a single-container, multi-task execution model, eliminating the overhead of creating individual containers for each task and considerably boosting task processing speed.

• Open Access: Beyond its integral role in Dify, DifySandbox is an independent open-source project. It enables all developers to deploy and use secure code execution at no cost.

Join us

We're excited to invite developers to join our community and help shape its future. Your feedback and insights are invaluable in driving Dify's evolution.

Come be a part of our exciting journey! As we advance Dify's multimodal architecture, your involvement is key. See our DifySandbox Contribution Guide for details.