eternaleclipse
commented
1 year ago Solving this may also solve the TODOs mentioned in the file:
- Node dependency check #1
- Cross-platform tempfile support
Open eternaleclipse opened 1 year ago
eternaleclipse
commented
1 year ago Solving this may also solve the TODOs mentioned in the file:
eternaleclipse
commented
1 year ago I've just noted the -c flag.
It's OK, but there is probably a safer way to do this from within rust (?)
yael333
commented
1 year ago I fully agree yea - I don't know much about it at the moment but I assume there's a better way that would encapsulate and isolate all future code checking (not limited to JS as well).
Although for now we'd only have to check the validity of programs (although checking the output would be pretty sweet), here are some rust solutions that might be better:
Javascript specific: https://crates.io/crates/rquickjs https://crates.io/crates/boa_engine
Sandboxing in Rust: https://crates.io/crates/pandora_box https://crates.io/crates/rusty-sandbox
Currently every file is being executed with node. This is dangerous and essentially gives any input file easy code execution.
One possible solution is to use a JS sandbox, such as: https://github.com/Bromeon/js-sandbox
Keep in mind this issue will keep coming up as we introduce additional external parsers that are not rust-native. We may need to solve this using a generic sandboxing approach.