Closed bmeck closed 12 years ago
as a side note:
a test should also see if the global is leaking via (function(){return this})().process to ensure you are calling the safe function in the proper context.
I believe you can also exploit a Node vm.runInNewContext
hack to prevent this issue. AFAIK, all the built-in ECMAScript objects are cloned from the parent context into the sandbox context, so you can do Function.prototype.toString = function(){};
before calling vm.runInNewContext
.
While this behavior seems to be implementation specific at the moment, the general idea of redefining Function#toString
should still suffice.
rehanift no, the Function.toString was just to simplify how the code looks rather than making a large string.
see #10
The following shows a leak:
The calling function is leaking info, the way around this is to wrap any user script in a function that is created inside of the sandbox and only allow communication through closures. IE:
becomes
Once you get the safe function you would then invoke it using f(comm,'x=1').
It is not pretty but prevents leaks.