Command Lines can be scary.
Websites feel much safer.
Reptile gives you simple, scalable and safe web terminals.
We can install Reptile from the PowerShell Gallery:
Install-Module ReptileOnce installed, we can import it with:
Import-Module Reptile -PassThruWe can also clone the repository and import it from any directory:
git clone https://github.com/PowerShellWeb/Reptile
cd ./Reptile
Import-Module ./ -PassThruOnce installed, we just run reptile:
reptileThis will start a simple terminal with no commands enabled.
You can still 'run' a few things.
2+2 will equal 4. "a" + "b" + "c" will be abc.
Feel free to play around.
Reptile runs in Restricted Language mode, and it's pretty restrictive.
Reptile gives you simple, scalable and safe web terminals.
Reptile run PowerShell in a data block
This only allows whatever commands you choose, and does not allow loops, strong types, or methods.
All a reptile really does is take input, create a data block, and call PowerShell.
Reptile is built with a HttpListener and PowerShell Thread Jobs.
This makes Reptile simple to scale: Just launch more than one job.
Data statements are a constrained form of PowerShell that primarily process data.
Data statements can also run any number of -SupportedCommands.
Data statements cannot access most variables, use methods, reference most types, or loop.
This makes them fairly ideal for a mostly safe REPL loop.
If a command is not supported, it will not be run.
This means that as long as no supported command allow arbitrary code injection, you are safe.
However, if you ran reptile -supportedCommand python,
then that would be a much more dangerous reptile to deal with.
Which is why there are some additional safety measures.
By default, reptile will run on a random local loopback port.
This has three security benefits:
- It does not require elevation to administrator
- It does not open an external port
- It is less predictable
If you are running reptile locally as intended, you control which scripts you run, and they can run as you.
If you choose to allow a live reptile instance, you are as safe as the commands the reptile supports.
Scripts that are not parsable as a data block will never be run.
Additionally, if someone succeeds in the miracle of escaping syntax, and the AST is not a single data statement, it will not run.
All data blocks will be evaluated in a background job.
This is a trade off of performance for security.
Responses will take longer than they would inline, but any potential data corruption is quite literally limited in scope.
The background jobs cannot access the main server thread, and so have a much more difficult time escalating any potential jailbreaks.
Additionally, because the responses are run in background thread jobs, it limits the overall impact of each request, and thus service is harder to deny.
Reptile will Evolve.
Reptile is a new project, and will grow and change with time. Implementation is subject to change.
The next items on the Reptile Roadmap are:
- Additional Protocol Support
- JsonRPC
- MCP
- XRPC
- New Examples
- Better Variable Input
- More Turtles (and other useful interactive tools)