Closed awto closed 6 years ago
Very good catch, thank you @awto !
Yes, this is a real security issue. microjob needs to sanitize the context before evaluating it but I've no solution for it right now.
Any idea to implement it is welcome, of course!
I think the best solution is to await a message after worker starts, and send the data in that message
Unfortunately, this cannot be done via message passing. In fact, worker threads use v8.serialize function (https://nodejs.org/api/v8.html#v8_v8_serialize_value) and elements like functions and classes are not allowed.
With "ctx" I want to give the capability to emulate the current context inside the anonymous function passed to the job.
So, I'll just mention the thing inside the docs for now.
I haven't noticed you want indeed pass functions there, in that case, some strong warning in docs will be enough.
I actually have a transpiler to make functions serializable including closure captured values, shared references etc, no docs yet though.
improved docs here: https://github.com/wilk/microjob/commit/1e10c998d7002946f7a1b4b20eb388afb3e89a99 I'm closing this issue but I'll reopen it if someone finds a better solution.
If context variable value is received from its remote user (e.g. HTML form), and I would expect this will happen often, it is easy to execute any JS expression:
Here's your example (a bit reduced):
Now running it with:
DATA_FROM_USER here simulates remote data