metarhia / impress

Enterprise application server for Node.js and Metarhia private cloud ⚡
https://metarhia.com
MIT License
969 stars 129 forks source link

Sandbox isolation defect #1193

Closed o-rumiantsev closed 4 years ago

o-rumiantsev commented 5 years ago

All modules are loaded to the client application sandbox using api.registry.require function, which uses node.js require. So all modules are cached. This can lead to a situation, when client application code changes some sandboxed module, and it changes everywhere. For example, there can be written client code, which deletes all properties from api.jstp, so api.jstp becomes an empty object on the entire application server https://github.com/metarhia/impress/blob/5d713d08c6525efb11b9065ef6d95673b48de399/lib/registry.js#L137-L163

tshemsedinov commented 4 years ago

We changed Metarhia technology stack strategy: now application isolation should be implemented using docker, all internal api functions and domain model code is a trusted code so nobody will purposely broke dependencies. But we protect global context removing recursive ref like sandbox.global = sandbox; and freeze all interfaces in sandbox.api but shallow freeze (not recursive).