3

I would like to execute user-submitted JS files safely in my own Node.js application. The user can submit multiple files which can be required and executed by their index.js file which is triggered from my node process.

I have looked into some sandboxing solutions but they either limit the required capabilities or end up breaking the sandbox once a file is "required".

I have looked into vm, vm2, eval etc.

I'd like to restrict access to global variables like process and also restrict access to certain node libraries.

Improve this question
2
  • 1
    a more concrete use case would be preferred for this kind of question. fyi, sandboxing on most case do give up access to certain capability (especially direct file read/write). also, didnt vm docs says "The node:vm module is not a security mechanism. Do not use it to run untrusted code." which you should abide. Commented Aug 4, 2022 at 13:17
  • When you say "execute user-submitted JS files in my own Node.js application", you seem to want some interaction between the two (what purpose should it serve otherwise?). How shall this interaction happen? Via a common persistency (file system, database)? Or does your application call a function provided by the user and evaluate its return value? Commented Oct 1, 2022 at 6:36

2 Answers 2

Reset to default
1

If packages such as vm2 don't satisfy you, I think nothing in node.js will satisfy you. One option if you're running on linux is to use chroot (either using the chroot module or by spawning it with child_process), which would let you full control over the environment the untrusted code is executed in.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You should try JavaScript v8 engine isolates. They’re more restricted and might be missing some functionality but they deliver the level of security necessary when handing untrusted code. This https://www.npmjs.com/package/isolated-vm should give you the right interface to run user code and even extend default v8 features

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.