7

I can't seem to figure out how to set up a node sandbox, which can run untrusted code safely, and allows a user to interact with the program through api calls (sys in and out). I'm trying to set up a console in the browser for users to run their own code from the server.

Are there any node packages that support this, or do I need to write my own node VM? Thanks.

Edit: I want a user to be able to write readline() and have the program wait at the breakpoint for data to be transferred in. similarly console.log()'s output should redirect to the response of the input api call.

Improve this question
9
  • Perhaps this: Nodejs VM module? Though if you want full sandbox safety, then you probably need to run a new nodejs process in an actual isolated VM. Also How to run user-submitted scripts securely in a node.js sandbox? Commented Aug 19, 2017 at 5:35
  • I've seen these, but they don't seem to be able to accept input if a user wrote readline(). @jfriend00 check the edit Commented Aug 19, 2017 at 15:11
  • I don't understand what you're trying to do. Where do you expect stdin to come from? Are you expecting a local console? And where do you expect stdout to go? Your question mentions "interact with the program through API calls" which I assumed meant you were starting a server and some other process elsewhere would communicate with that server. Commented Aug 19, 2017 at 20:17
  • Yeah I have a server running, with the user's code on it. When the user makes an api request on the client to run the progrem, I want a vm to run it. if there is a readline, the program should pause and wait, the response to the client would have any sys out data produced before the breakpoint, and should tell the client that input is expected. when the user enters input, program resumes until next input or program end. in either case, the api response would have the sys out. Commented Aug 19, 2017 at 20:40
  • 1
    Does this answer your question? How to run untrusted code serverside? Commented Mar 27, 2020 at 10:31

1 Answer 1

Reset to default
3

You can use the vm2 module and run almost any code that comes with user input in a secure way.

You can even define whether the user-supplied code will have access to require native Node modules or other modules via relative path or even define whether a code coming from the user input can make an external call.

You can envelop and execute this "untrusted" code in a try/catch to observe catastrophic failures or even set a timeout so that this run does not overwhelm.

quick example

const {VM} = require('vm2');
const vm = new VM();

vm.run(`process.exit()`); // TypeError: process.exit is not a function

using "request" module "bultin" for access external resource

const {NodeVM} = require('vm2');
const vm = new NodeVM({
    require: {
        external: true // allow all modules or use Array for one e.g: ['request']
    }
});    

vm.run(`
    var request = require('request');
    request('http://www.google.com', function (error, response, body) {
        console.error(error);
        if (!error && response.statusCode == 200) {
            console.log(body) // Show the HTML for the Google homepage.
        }
    })
`, 'vm.js');

By default the entry is compiled into javascript but you can pass a function with your custom compiler.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.