joshuawise / expression-sandbox Goto Github PK
View Code? Open in Web Editor NEWThis project forked from nx-js/compiler-util
A small tool for evaluating JavaScript code in a secure sandbox, for Node.js or the modern browser.
License: MIT License
expression-sandbox's People
Stargazers
Watchers
expression-sandbox's Issues
Halting problem
Obviously, we can't solve this.
But we do need some way to interrupt things like while(1)
I think the only way around this is to use an iframe or webworker...
I have toyed with injecting yield into the payload (using a babel plugin) but I never got all the edges sorted out... You can walk the function and look for WhileStatement (etc) and insert a yield at the start of every block then when we run our untrusted code...
const untrusted = `
let i = 0;
while(true) {i++}
`
const userCodeAfterAstTransform = new Function(`return function* () {
try {
let i = 0;
while(yield) {
yield i++
}
} catch (e) {
yield {error: e};
}
}`)();
function run(it, callback) {
requestIdleCallback(deadline => {
let val = it.next();
while (!val.done) {
if (deadline.timeRemaining() <= 0) {
run(it, callback);
return;
}
val = it.next();
}
callback(val.value);
});
}
run(userCodeAfterAstTransform(), log);Using expression-sandbox
I'd like to use an expression-sandbox for implementing secured mode in Klipse.
I have tried the naive approach suggested in https://blog.risingstack.com/writing-a-javascript-framework-sandboxed-code-evaluation/
Do you think that expression-sandbox could be helpful?
I have played with it a bit. The problem is that
Sandboxes are only allowed to return primitive values
and
You cannot set properties on a sandboxed object.
more constructors
Here's a more complete list of standard constructors for you:
const constructors = [
Array,
ArrayBuffer,
Boolean,
Date,
Error,
EvalError,
Float32Array,
Float64Array,
Function,
Int8Array,
Int16Array,
Int32Array,
Map,
Number,
Object,
RangeError,
ReferenceError,
RegExp,
Set,
String,
SyntaxError,
TypeError,
Uint8Array,
Uint8ClampedArray,
Uint16Array,
Uint32Array,
URIError,
WeakMap,
WeakSet
];Problem due to freezing Javascript native types
I have a fairly bizarre use-case, but it's causing a problem. I have a section of code that mimics inheriting from Function, which involves creating a mock "prototype," and creating a mock property called "constructor," then copying these over to a function(). The problem is, once I run require('expression-sandbox') it freezes the Javascript native prototypes, so I get an error that I'm trying to write to a read-only property (constructor).
Looking through your code, my thought is, is there a way to do all the freezing right before running the sandboxed expression, then unfreezing when the execution is finished, rather than freezing everything when the module loads and then leaving it like it currently does? That would solve my problem I believe.
Thanks.
freezing Error breaks Node.js
Code in Node.js v8.7.0:
this.name = 'AssertionError [ERR_ASSERTION]';The error message is: TypeError: Cannot assign to read only property 'name' of object 'Error: false == true'
Any ideas?
How do I expose "safe" functions to the sandbox
I'm trying to provide a write function to my sandbox.
The write command in itself is pretty complex and written in TypeScript, so I won't post it.
The sandboxed code looks like this:
var code = compiler('(function () { try { \
\
write("Hello World!\\n>"); \
\
} catch(err) { log(err) } })()');and I run it like this:
code({
write: function(msg: string) {
terminalObj.write(msg);
},
log: function(msg: any) {
console.info(msg);
}
});Now what happens is that within my terminalObj.write is e.g. a slice on an array of numbers that is a property of my terminalObj. Right at the slice (I've narrowed it down to just the slice) the sandbox kicks in and claims: "Error: You cannot set properties on a sandboxed object"
Here is a screenshot I took from apply right before the set function will throw the top exception with the error message above:
multi line function code
Hi,
I would like to compile code like this:
const myFunc = '
const res = {};
res.email = '[email protected]';
res.email2 = 'faker.internet.email()';
return JSON.stringify(res);
'
const code = compiler(myFunc);
const result = code({ JSON });
console.log(result);
But this does not work because of the hardcoded 'return' statement. Is there a way to compile code like this?
Or would you accept a pull request with an additional compile function?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.