search

dart-lang / sdk

The Dart SDK, including the VM, JS and Wasm compilers, analysis, core libraries, and more.
https://dart.dev
BSD 3-Clause "New" or "Revised" License
10.04k stars 1.55k forks source link

Restrict access to specific libraries when running code in an isolate #16373

Open DartBot opened 10 years ago

DartBot commented 10 years ago

This issue was originally filed by george.moscho...@gmail.com

The option to run Dart code in an isolate (e.g. using Isolate.spawnUri) without access to specific libraries is desirable.

Use case: implementation of a simple sandbox for 'safe' code by restricting access to dart:io.

sgjesse commented 10 years ago

One option here is to have the ability to install a library resolver when spawning an isolate. Such a resolver will be able to supply the source code for any given library overriding the default.

Related to sandboxing then controlling whether native extensions are supported or not is also relevant.

Removed Type-Defect label. Added Type-Enhancement, Library-Isolate, Triaged labels.

lrhn commented 10 years ago

This request keeps popping up, so we will probably need it eventually.

I'm not sure that intercepting core libraries is a good idea, but running isolates in certain configurations/profiles (e.g., no dart:io, no dart:HTML) should probably be supported.

That would also give a coherent story about why the standalone VM has dart:io and the browser (VM or dart2js) has dart:html - they are running in different, but known, profiles, and it generalizes to other profiles that we might need in the future, or that users might need isolates to run in. (I.e., a "profile" is a set of allowed platform libraries, and you can spawnUri isolates in a subset of your own profile only).

In the browser, spawnUri isolates do not have access to the HTML DOM. If they run in a profile with no access to dart:HTML, that would be very, very obvious.

We should never allow preventing or modifying dart:core, probably not dart:collection or dart:math either. I can definitely imagine a profile without dart:async.

We might allow querying the current isolate about which profile it is in, but it's probably not relevant - imports happen, and would fail, long before you get to that point. I don't know how dart2js will handle it, but as with any isolate configuration, they might need to compile the isolate up-front with special flags telling the configuration it will eventually run in, and then test that it's correct when the isolate starts.

cc @floitschG. cc @a-siva. cc @iposva-google.

lrhn commented 10 years ago

Added Area-Library label.