Closed alexec closed 2 years ago
Otto is just a JavaScript interpreter. There's nothing sandboxy (or counter-sandboxy) about it in particular.
Note that hardening a system that runs arbitrary code is incredibly difficult, and guarantees can never really be made. Check out docker, for instance. There's always some horrific vulnerability in that fresh in everyone's memory, and it's written and maintained by many thousands of people very good at this.
Instead of running arbitrary code handed to you by your users, consider whether you should be handing them a loaded gun in the first place.
Thats' what I expected, thank you!
I'd like to understand if it is OK to use Otto to run semi-trusted or untrusted code?