How to run user-submitted scripts securely in a node.js
Question
There are few methods (1) eval() (2) use node's ability to evaluate code in a new context (3) use something like https://github.com/gf3/sandbox#readme
but i am not sure which one is more secure and give good performance. I can explain little about my use case. User will submit script and i will pass an object to that script which already has handling logic defined within it and in the end it will return me an object which i want to get in my application for further use.
i have searched on internet but unable to find some good recommendations about which way to go?
1 answers
solution1
0 2013-01-01 11:28:34
I have similar requirements in a project of mine and came across your question during my research, let me share my findings:
Using eval + vm.runInNewContext ( http://nodejs.org/docs/latest/api/vm.html#vm_sandboxes ):
This can be insecure and from the statements in the mailing lists and issue tracker this is also not the recommended use. The sandbox module you have linked is the recommended way for this purpose.
See also: https://github.com/joyent/node/issues/1469
Using Child-Processes ( http://nodejs.org/api/child_process.html ):
This can be a good solution if you don't plan on too much concurrency. A new child is a new V8 instance and will take about 30ms to start and use about 10MB memory. You can kill the child when its done and free the memory.
Sandbox Module ( https://github.com/gf3/sandbox ):
The Module was built for this purpose and uses child processes. It will solve your problem in the easiest way. You may also use it as a example on how to create your own child process based solution.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.