npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@damnvulnerablewebsite/interpreter-py

v1.0.5

Published

This package is designed to prototype an interpreter library for python code importer in TypeScript that is designed to be vulnerable.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

terminalsinterminalsin

Keywords

pythoninterpretervulnerablesecuritytesting

Readme

A deliberately vulnerable Python code interpreter library for TypeScript, designed for educational and security testing purposes.

[!CAUTION] ⚠️ SECURITY WARNING 🚨 THIS PACKAGE CONTAINS INTENTIONAL VULNERABILITIES FOR EDUCATIONAL PURPOSES ONLY! DO NOT USE IN PRODUCTION ENVIRONMENTS! This package is designed to demonstrate common security vulnerabilities in code interpretation systems.

🚀 Installation

npm install @damnvulnerablewebsite/interpreter-py

Prerequisites

  • Node.js 18 or higher
  • Python 3.x installed and accessible in PATH
  • TypeScript (if using TypeScript)

📖 Quick Start

Basic Usage

import { createInterpreter } from '@damnvulnerablewebsite/interpreter-py';

async function example() {
  const interpreter = createInterpreter();
  
  const result = await interpreter.executeCode(`
    print("Hello from Python!")
    import math
    print(f"Pi is approximately {math.pi}")
  `);
  
  console.log('Output:', result.stdout);
  console.log('Success:', result.success);
}

Streaming Output

import { createQuickInterpreter } from '@damnvulnerablewebsite/interpreter-py';

const interpreter = createQuickInterpreter('testing');

interpreter.on('data', (output) => {
  console.log(`[${output.type}]`, output.data);
});

interpreter.on('complete', (result) => {
  console.log('Execution completed:', result.success);
});

await interpreter.executeCode(`
import time
for i in range(3):
    print(f"Step {i + 1}")
    time.sleep(1)
`, { stream: true });

Educational Vulnerability Demonstration

import { createUnsafeInterpreter, createUnsafeContext } from '@damnvulnerablewebsite/interpreter-py';

// WARNING: This creates an interpreter with NO security measures!
const unsafeInterpreter = createUnsafeInterpreter();

// This demonstrates how vulnerabilities can be exploited
const dangerousCode = `
import os
import subprocess

# This would normally be blocked by security measures
print("Current directory:", os.getcwd())
print("Environment vars:", list(os.environ.keys())[:5])

# Command execution
result = subprocess.run(['echo', 'System access!'], capture_output=True, text=True)
print("Command output:", result.stdout)
`;

const result = await unsafeInterpreter.executeUnsafe(dangerousCode, createUnsafeContext());

🛠️ API Reference

Classes

PythonInterpreter

Main interpreter class for executing Python code.

const interpreter = new PythonInterpreter({
  pythonPath: 'python3',
  timeout: 30000,
  maxOutputLines: 1000,
  enableLinting: true,
  allowUnsafeOperations: false
});

PythonLinter

Lints Python code for syntax errors and security issues.

const linter = new PythonLinter();
const result = await linter.lintCode('print("hello")');

Utility Functions

createInterpreter(config?)

Creates a safe interpreter with security measures enabled.

createUnsafeInterpreter(config?)

Creates an unsafe interpreter with all security measures disabled.

createQuickInterpreter(preset, config?)

Creates an interpreter with preset configurations:

  • 'safe' - Maximum security, limited execution time
  • 'testing' - Balanced security for testing
  • 'educational' - Some unsafe operations for learning
  • 'dangerous' - All security measures disabled

checkPythonAvailability(pythonPath?)

Checks if Python is available on the system.

Configuration Options

interface InterpreterConfig {
  pythonPath?: string;          // Path to Python executable
  timeout?: number;             // Execution timeout in ms
  maxOutputLines?: number;      // Maximum output lines
  enableLinting?: boolean;      // Enable code linting
  allowUnsafeOperations?: boolean; // Allow dangerous operations
  workingDirectory?: string;    // Working directory for execution
  environment?: Record<string, string>; // Environment variables
}

Execution Options

interface ExecutionOptions {
  timeout?: number;     // Override timeout
  cwd?: string;         // Working directory
  env?: Record<string, string>; // Environment variables
  stream?: boolean;     // Enable streaming output
  sanitize?: boolean;   // Enable input sanitization
}

🎯 Examples

See the examples/ directory for comprehensive examples:

  • basic-usage.ts - Complete demonstration of all features
  • More examples coming soon...

Run the examples:

npm run dev  # Runs examples/basic-usage.ts

🔒 Security Vulnerabilities (Educational)

This package intentionally contains the following vulnerabilities for educational purposes:

1. Command Injection

  • Environment variables can be manipulated to execute arbitrary commands
  • Python path can be controlled by attackers

2. Arbitrary Code Execution

  • Unsafe mode allows execution of any Python code
  • Linting can be completely bypassed

3. File System Access

  • No sandboxing when unsafe operations are enabled
  • Temporary files may not be properly cleaned up

4. Input Sanitization Bypass

  • Very basic sanitization that can be easily circumvented
  • Regular expressions can be bypassed with alternative syntax

5. Information Disclosure

  • Configuration details exposed in environment variables
  • Error messages may leak sensitive information
  • Temporary file paths may be predictable

6. Resource Exhaustion

  • No limits on execution time when disabled
  • No limits on output size when disabled
  • Memory usage not controlled

🧪 Testing

npm test        # Run tests (when implemented)
npm run build   # Build TypeScript
npm run dev     # Run example in development mode

📜 Scripts

  • npm run build - Compile TypeScript to JavaScript
  • npm run dev - Run example with hot reload
  • npm start - Run compiled JavaScript
  • npm run clean - Remove compiled files

📄 License

ISC License - see LICENSE file for details.

⚖️ Legal Disclaimer

This software is provided for educational and security research purposes only. The authors are not responsible for any misuse of this software. Users must comply with all applicable laws and regulations.

DO NOT USE THIS SOFTWARE IN PRODUCTION ENVIRONMENTS OR FOR MALICIOUS PURPOSES.

🔗 Inspired from

  • DVWA - Damn Vulnerable Web Application
  • WebGoat - Deliberately insecure application
  • Juice Shop - Vulnerable web application