安全沙箱和执行用户提交的JavaScript?

I would like to have the ability to let users submit arbitrary JavaScript code, which is then sent to a Node.JS server and safely executed before the output is sent back to multiple clients (as JSON). The eval function comes to mind, but I know this has multiple security concerns (the user submitted code would be able to access Node's File API, etc). I have seen some projects like Microsoft Web Sandbox and Google Caja which allow execution of sanitized markup and script (for embedding third-party ads on websites), but it seems that these are client-side tools and I'm not sure if they can be safely used within Node.

我希望能够让用户提交任意的JavaScript代码，然后将其发送到一个节点。在输出被发送回多个客户端(以JSON格式)之前安全执行。eval函数出现在脑海中，但我知道它有多个安全问题(用户提交的代码可以访问Node的文件API等)。我已经看到了一些项目，比如Microsoft Web Sandbox和谷歌Caja，它们允许执行干净的标记和脚本(在网站上嵌入第三方广告)，但是这些都是客户端工具，我不确定它们是否可以安全地在节点内使用。

Is there a standard way to sandbox and execute non-trusted JavaScript in Node, getting the output. Is it a mistake to try and do this server-side?

是否有一种标准的方法来沙箱并在节点中执行不受信任的JavaScript，以获取输出。尝试在服务器端执行此操作是错误的吗?

EDIT: It's not important that the user be able to leverage the full capabilities of JavaScript, in fact it would be preferable to be able to pick and choose which APIs would be provided to the user code.

编辑:用户能够充分利用JavaScript的功能并不重要，事实上，更好的做法是选择并选择向用户代码提供哪些api。

EDIT: I am going to go ahead and update with what I found. This Sandcastle module (bcoe/sandcastle) seems to aim to do what I have in mind. Not sure how secure it is, but since I this is not for anything too important I think I'll if try it. I'll add my own answer if I'm able to successfully do this.

编辑:我将继续更新我发现的内容。这个Sandcastle模块(bcoe/ Sandcastle)似乎打算做我想做的事情。我不知道它有多安全，但既然我这不是为了什么太重要的事，我想我还是试试吧。如果我能成功地做到这一点，我会加上我自己的答案。

4 个解决方案

#1

This answer is outdated as gf3 does not provide protection against sandbox breaking

这个答案已经过时了，因为gf3不提供沙箱破坏保护

http://gf3.github.io/sandbox/ - it uses require('child_process') instead of require('vm').

http://gf3.github。io/sandbox/ -它使用require('child_process')而不是require('vm')。

#2

You can use sandbox support in nodejs with vm.runInContext('js code', context), sample in api documentation:

您可以在node . runincontext ('js代码'，context)中使用sandbox支持，api文档示例如下:

https://nodejs.org/api/vm.html#vm_vm_runinthiscontext_code_options

https://nodejs.org/api/vm.html vm_vm_runinthiscontext_code_options

const util = require('util');
const vm = require('vm');

const sandbox = { globalVar: 1 };
vm.createContext(sandbox);

for (var i = 0; i < 10; ++i) {
    vm.runInContext('globalVar *= 2;', sandbox);
}
console.log(util.inspect(sandbox));

// { globalVar: 1024 }

WARN: As pointed by "s4y" it seems to be flawled. Please look at the comments.

警告:正如s4y所指出的，它似乎是有缺陷的。请看评论。

#3

Under Node.js you may create a sandboxed child process, but you also need to append the code with "use strict";, otherwise it is possible to break the sandbox with arguments.callee.caller.

在节点。您可以创建一个沙盒子进程，但是您还需要添加带有“使用严格”的代码;否则可能会使用arguments.calley .caller来破坏沙箱。

Not sure why you need to send it to the server, because the code may also be executed in a sandboxed web-worker.

不知道为什么需要将其发送到服务器，因为代码也可以在沙盒web worker中执行。

Also take a look at my Jailed library which simplifies everything just mentioned for both Node.js and web-browser, and additionally provides an opportunity to export a set of functions into the sandbox.

还可以查看一下我被监禁的库，它简化了对两个节点都提到的所有内容。以及web浏览器，并提供了将一组函数导出到沙箱中的机会。

#4

One alternative would be to use http://github.com/patriksimek/vm2:

另一种选择是使用http://github.com/patriksimek/vm2:

$ npm install vm2

then:

然后:

const {VM} = require('vm2');
const vm = new VM();

vm.run(`1 + 1`);  // => 2

as mentioned in comments of other answers.

如其他答案的评论所述。

I don't know how secure it is, but it at least claims that it runs untrusted code securely (in its README). And I couldn't find any obvious security issues so far as solutions suggested in other answers here.

我不知道它有多安全，但它至少声称它安全地运行不受信任的代码(在自述文件中)。我找不到任何明显的安全问题，就像这里的其他答案所建议的那样。

#1