How to run user-submitted scripts securely in a node.js sandbox?

by

You should always run untrusted code in a separate process, which is exactly what the sandbox module does. A simple reason is that vm.runInNewContext('while(true){}', {}) will freeze node.

It starts by spawning a separate process, which will later send the result serialized to JSON on its stdout. The parent process continues executing regardless of what the child does and can trigger a timeout.

The untrusted code is then wrapped in a closure with strict mode (in regular JavaScript, you can use arguments.callee.caller to access data outside of your scope). Finally, a very limited global object is passed to prevent access to node’s API. The untrusted code can only do basic computation and has no access to files or sockets.

While you should read sandbox’s code as an inspiration, I wouldn’t recommend using it as is:

  • The code is getting old and hasn’t been updated for 7 months.
  • The Child Process module in node already provides most of the features you need, especially child_process.fork().
  • The IPC channel provided by child_process.fork probably has better performances.

For increased security, you could also consider using setuid-sandbox. It’s the code used by Google Chrome to prevent tab processes from accessing the file system. You would have to make a native module, but this example seems straightforward.

More Related Contents:

  1. What is Node.js? [closed]
  2. ECMAScript 6 features available in Node.js 0.12
  3. garbage collection with node.js
  4. Why is bind slower than a closure?
  5. Why is let slower than var in a for loop in nodejs?
  6. Are arrow functions faster (more performant, lighter) than ordinary standalone function declaration in v8?
  7. Using ‘let’ as a variable name is not throwing any errors in google v8
  8. Why doesn’t Node.js have a native DOM?
  9. Increase JavaScript Heap size in create-react-app project
  10. How does Bluebird’s util.toFastProperties function make an object’s properties “fast”?
  11. Accessing line number in V8 JavaScript (Chrome & Node.js)
  12. How do I escape a string for a shell command in node?
  13. Maximum number of entries in Node.js Map?
  14. Node JS / V8 destructuring bug?
  15. parseInt vs unary plus, when to use which?
  16. Streaming a video file to an html5 video player with Node.js so that the video controls continue to work?
  17. node.js: read a text file into an array. (Each line an item in the array.)
  18. How to send a message to a particular client with socket.io
  19. ‘await Unexpected identifier’ on Node.js 7.5
  20. Node exits without error and doesn’t await promise (Event callback)
  21. puppeteer: how to wait until an element is visible?
  22. Accessing EJS variable in Javascript logic
  23. Using node.js’s File System functions from a browser
  24. Replace a string in a file with nodejs
  25. nodemon command is not recognized in terminal for node js server
  26. How to append to New Line in Node.js
  27. Babel 7 – ReferenceError: regeneratorRuntime is not defined
  28. Invalid shorthand property initializer [closed]
  29. Update all clients using Socket.io?
  30. Group by Date with Local Time Zone in MongoDB

Leave a Comment