search

felixge / node-sandboxed-module

A sandboxed node.js module loader that lets you inject dependencies into your modules.
MIT License
342 stars 42 forks source link

Untrusted modules? #47

Closed billinghamj closed 9 years ago

billinghamj commented 9 years ago

Obviously not looking for any guarantees...

Looking to understand if this is reasonably suitable for the purpose of running untrusted code and only allowing it access to specific data, not allowing access to the system/process/filesystem/runtime/etc.

domenic commented 9 years ago

I don't think so. There are some pretty easy workarounds for that kind of thing, e.g. accessing anyObjectFromTheOutside.constructor("this") to get the outer global. For proper lockdown you should use something like Google Caja's SES. @kriskowal has a port of that over at https://github.com/drses/ses although it has an ominous status warning at the top.

billinghamj commented 9 years ago

Awesome thank you :)

kriskowal commented 9 years ago

I’ve been kinduh waiting for a better vm module for SES. Maybe I should revisit SES on iojs.