Closed o-rumiantsev closed 4 years ago
We changed Metarhia technology stack strategy: now application isolation should be implemented using docker, all internal api functions and domain model code is a trusted code so nobody will purposely broke dependencies. But we protect global context removing recursive ref like sandbox.global = sandbox;
and freeze all interfaces in sandbox.api
but shallow freeze (not recursive).
All modules are loaded to the client application sandbox using
api.registry.require
function, which uses node.jsrequire
. So all modules are cached. This can lead to a situation, when client application code changes some sandboxed module, and it changes everywhere. For example, there can be written client code, which deletes all properties fromapi.jstp
, soapi.jstp
becomes an empty object on the entire application server https://github.com/metarhia/impress/blob/5d713d08c6525efb11b9065ef6d95673b48de399/lib/registry.js#L137-L163