search

jackxiao / jslibs

Automatically exported from code.google.com/p/jslibs
0 stars 0 forks source link

Make Sandbox actually work? #81

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Sandbox does not seam to actually be implemented. At least as I see.

For me after loading jsstd the Sandbox object is available, however the
Eval method does not exist. Actually, it doesn't have any properties on it.

Actually, on the topic of Sandbox, I think it would be best implemented
with an instance (of course Sandbox.Eval could still be a static shortcut.

A example use case I think would be something like:
var sb = new Sandbox(optionalObj);
sb.eval('statement');

The reason for that is one of keeping the sandbox's scope and reuse. A good
bit of the cases where I'd like to make use of a Sandbox would probably be
best served where I create one sandbox and run multiple statements in it.
That input object might be best as just what to use as a base.
ie: This would be good:
var sb = new Sandbox({foo: function() 'bar';});
sb.eval('foo();'); // bar
sb.foo(); // bar
sb.bar = {red: 'green'};
sb.eval('bar'); // [object Object]
sb.eval('bar') === sb.bar; // true

This kind of Sandbox handling does seam inline with other sandboxes like
PHP's Runkit_Sandbox (http://ca3.php.net/manual/en/runkit.sandbox.php)

Basically rather than the special Eval, we're in a way just running the
standard eval which is embedded securely into the sandbox.

Perhaps it may actually be possible to setup things so something like this
is possible:
LoadModule('jsstd');
var sb = new Sandbox;
sb.Exec(someScript);
sb.eval('Exec("foo.js");'); // error

Or perhaps `Exec.call(sb, someScript);` makes more sense.

Original issue reported on code.google.com by nadir.se...@gmail.com on 12 Dec 2008 at 2:58

GoogleCodeExporter commented 9 years ago 
The SandboxEval() function is implemented in the SVN version of jslibs:
  SandboxEval( scriptCode [ , queryCallback ] [ , operationLimitCount = 4096 ] )
For security reasons (scope inheritance), it is impossible to transmit a 
JavaScript
object to the sandbox.
However, you can transmit primitive values (non-object) through a Query callback
function.
eg.
  function QueryCallback(val) {
   return val;
  }
  var res = SandboxEval('1 + 2 + Query(3)', QueryCallback);
  Print( res ); // prints: 6

implementation:
http://www.google.com/codesearch/p?#JIBYGrKTwcg/src/jsstd/static.cpp&l=916

Original comment by sou...@gmail.com on 5 Jan 2009 at 12:37

GoogleCodeExporter commented 9 years ago 
is it ok ? I close the issue.

Original comment by sou...@gmail.com on 27 Feb 2009 at 4:10

GoogleCodeExporter commented 9 years ago 
Well It's just one of those features I think is possible in some way, but is to
complex a job to just throw on you.
I'll just throw this onto the list of things to contract someone for. After 
we're
through a good bit of the current project at work, there might actually be some 
seed
capital for starting work on another project, so I might be able to get someone
officially to help out.

Original comment by nadir.se...@gmail.com on 27 Feb 2009 at 7:47