Thursday, 29 November 2018

Node.js Sandbox For Running Untrusted User Submitted Code

I’m trying to source a node.js sandbox capable of running untrusted user submitted code.


There are a couple of posts regarding this but they are all old. I’m hoping an up to date post will help.
(2011) How to run user-submitted scripts securely in a node.js sandbox?
(2012) How to run untrusted code serverside?
(2013) Safely sandbox and execute user submitted JavaScript?


Through the other posts and researching this I’ve found the following sandboxes and exploits:
(Jailed) https://github.com/asvd/jailed
(Jailed Exploit) https://github.com/asvd/jailed/issues/33

(Sandbox) https://github.com/gf3/sandbox
(Sandbox Exploit) https://github.com/gf3/sandbox/issues/50

(Sandcastle) https://github.com/bcoe/sandcastle
(Sandcastle Exploit) https://github.com/bcoe/sandcastle/issues/70

(Node’s VM) https://nodejs.org/api/vm.html#vm_vm_runinthiscontext_code_options
(In documentation) Note: The vm module is not a security mechanism. Do not use it to run untrusted code.

(VM2) https://github.com/patriksimek/vm2
(VM2 Exploit) https://github.com/patriksimek/vm2/issues/76


Does anyone know of a node.js sandbox with no known exploits?



from Node.js Sandbox For Running Untrusted User Submitted Code

No comments:

Post a Comment