search

jbeard4 / SCION

SCXML/Statecharts in JavaScript, moved to gitlab: https://gitlab.com/scion-scxml/scion
https://scion.scxml.io
Apache License 2.0
149 stars 29 forks source link

inter-session datamodel bleedover in a multi-tenant environment #368

Open mattoshry opened 8 years ago

mattoshry commented 8 years ago

When scion is embedded in a node.js app that hosts multiple, simultaneous scxml sessions, the global object is shared between these scxml sessions as a result of the platform eval functions use of the process's global object at [1].

var ctx = vm.createContext(global);

In addition, the use of the process's global gives the scxml application access to a number of objects in the node.js environment we'd rather suppress/hide in our environment:

> Object.keys(global)
[ 'DTRACE_NET_SERVER_CONNECTION',
  'DTRACE_NET_STREAM_END',
  'DTRACE_HTTP_SERVER_REQUEST',
  'DTRACE_HTTP_SERVER_RESPONSE',
  'DTRACE_HTTP_CLIENT_REQUEST',
  'DTRACE_HTTP_CLIENT_RESPONSE',
  'global',
  'process',
  'GLOBAL',
  'root',
  'Buffer',
  'clearImmediate',
  'clearInterval',
  'clearTimeout',
  'setImmediate',
  'setInterval',
  'setTimeout',
  'console',
  'module',
  'require',
  '_' ]

Would be good if the entire eval impl need not be replaced but rather allowed the integrator to pass in the VM's sandbox via the context parameter.

Here's a barebones sandbox that appears to produce the desired behavior:

var sandbox = {};
sandbox.global = sandbox;
var ctx = vm.createContext(sandbox);

[1] https://github.com/jbeard4/SCION/blob/master/lib/runtime/platform-bootstrap/node/platform.js#L57