I’m trying to source a node.js sandbox capable of running untrusted user submitted code.
There are a couple of posts regarding this but they are all old. I’m hoping an up to date post will help.
(2011) How to run user-submitted scripts securely in a node.js sandbox?
(2012) How to run untrusted code serverside?
(2013) Safely sandbox and execute user submitted JavaScript?
Through the other posts and researching this I’ve found the following sandboxes and exploits:
(Jailed) https://github.com/asvd/jailed
(Jailed Exploit) https://github.com/asvd/jailed/issues/33
(Sandbox) https://github.com/gf3/sandbox
(Sandbox Exploit) https://github.com/gf3/sandbox/issues/50
(Sandcastle) https://github.com/bcoe/sandcastle
(Sandcastle Exploit) https://github.com/bcoe/sandcastle/issues/70
(Node’s VM) https://nodejs.org/api/vm.html#vm_vm_runinthiscontext_code_options
(In documentation) Note: The vm module is not a security mechanism. Do not use it to run untrusted code.
(VM2) https://github.com/patriksimek/vm2
(VM2 Exploit) https://github.com/patriksimek/vm2/issues/76
Does anyone know of a node.js sandbox with no known exploits?
from Node.js Sandbox For Running Untrusted User Submitted Code
No comments:
Post a Comment