Giter VIP home page Giter VIP logo

Comments (4)

anaisbetts avatar anaisbetts commented on June 18, 2024

If you want to be super paranoid you can use a separate process, but realistically the only way to get out of this sandbox is a V8 exploit (which is entirely possible ofc, but not trivial). I'd try to set up the environment s.t. if a user can escape the sandbox, they can only read secrets for their own repo (i.e. via chroots or sth)

from probot.

groundwater avatar groundwater commented on June 18, 2024

Contexts can share heap objects. Anything you pass into the PR script can have its prototype messed with, which is often an exploit vector.

Further more, anyone can call while(true){} and those are uninterruptible, and a DOS attack vector.

I think you'll want a 1-process per script model, and possibly use only c++ to pass in APIs to the untrusted script.

Since you don't actually need node APIs available for your scripts, you could also directly boot V8-Isolates in separate threads, and communicating via c++/libuv. Here's an old example https://github.com/groundwater/node-isolate-madness that would need updating, but it runs some JS in another thread and uses libuv to callback into the original thread.

from probot.

nathansobo avatar nathansobo commented on June 18, 2024

The DOS attack vector definitely requires separate isolates or processes, but you could write the trusted part of the code in JavaScript by taking advantage of an object-capabilities security model that was enabled by changes in ES5.

There's a talk about it from a member of Google's Caja team and a script floating around called initSES.js that supposedly enables this security model.

The basic idea is that you have to lock down a bunch of JS prototypes and other things to make it impossible, for example, to replace Array.push with your own nefarious version by following references to the prototype from an instance you were given and assigning a new method. If you do that and run untrusted code in an isolated context, you can still do trusted things outside of that context and maintain security.

from probot.

bkeepers avatar bkeepers commented on June 18, 2024

Thanks for the thoughts here. After #89, I'm going to kick this can down the road.

from probot.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.