Major: Development Playground Exposed to Authenticated Users

[AliiiBenn]

Priority

🟠 Major - Security & Cost

Location

src/app/(frontend)/(protected)/playground/page.tsx

Problem Description

A development/testing playground page is accessible to all authenticated users at /playground. This page provides:

• Direct access to both Python compilers (E2B and Pyodide)
• No rate limiting
• No usage tracking
• No access control beyond authentication

Security Risks

1. Cost Attack (E2B API)

Users can:

• Run unlimited code execution requests
• Spawn unlimited E2B sandboxes
• Each execution costs money via E2B API
• Could exhaust API quota or run up large bills

2. Resource Abuse

• Continuous code execution attempts
• Fork bombs or infinite loops
• Memory exhaustion attacks
• CPU resource consumption

3. Information Disclosure

• Test infrastructure exposed
• Error messages may leak system details
• E2B API key potentially accessible (if misconfigured)

Recommended Solutions

Option 1: Remove in Production (Recommended)

Add environment check to hide in production.

Option 2: Admin Only Access

Add admin check to restrict access.

Option 3: Rate Limiting + Quotas

If keeping playground, add rate limiting and usage tracking.

Related Issues

• Major: Development Playground Exposed to Authenticated Users #10 - No rate limiting on API
• Major: No Tests for Critical Compiler Functions #11 - Missing security headers

Steps to Fix

1. Immediate: Add environment check to hide in production
2. Short term: Add admin-only access restriction
3. Long term: If keeping, add rate limiting and usage tracking

Additional Context

This feature is marked as "development-only, to be removed in production" in README.md:90 but is still accessible. This suggests it was meant to be temporary but wasn't properly gated.