PyMiniRacer (original) author here. PyMiniRacer is definitely a way to run insecure code, but as pointed, the several CVEs in V8 require measures beyond "just" relying on PyMiniRacer to make it safe.
1. Total control over what APIs the user's code can call: you kinda got it... users can just do plain JS
2. Memory limits: you got it
3. Time limits: you got it, but the current model is unreliable when used at high levels of CPU and a high number of threads.
And thank you so much bpcreech for taking back the ownership of PyMiniRacer!
For the record PyMiniRacer was victim of a CVE itself https://nvd.nist.gov/vuln/detail/CVE-2020-25489 - a heap overflow, my mistake.
1. Total control over what APIs the user's code can call: you kinda got it... users can just do plain JS 2. Memory limits: you got it 3. Time limits: you got it, but the current model is unreliable when used at high levels of CPU and a high number of threads.
And thank you so much bpcreech for taking back the ownership of PyMiniRacer!