Hi, OneJS (http://github.com/azer/onejs) aims to do a very similar job by bundling. It wraps all the modules in your project and provides them custom implementations of global NodeJS functions & objects (require, process, console etc..);
https://github.com/azer/onejs/blob/master/templates/module.js#L6 Right now its NodeJS emulation is not enough for your purpose. It needs better process implementation and the emulations of the core libraries that need to be inside of sandbox. Best, Azer On Mon, Jul 2, 2012 at 8:20 PM, Fedor Indutny <[email protected]> wrote: > Well, you may use separate node process, but you should run in in chroot or > jail if you want a real safity here. > > Cheers, > Fedor. > > > > On Mon, Jul 2, 2012 at 8:16 PM, Will Riley <[email protected]> wrote: >> >> Ah, I see. I saw in the docs that it says "safely running untrusted code >> requires a separate process", but could you elaborate on that? Would it be >> better to use vanilla v8 for something like this? >> >> >> On Monday, July 2, 2012 10:53:26 PM UTC-4, Ben Noordhuis wrote: >>> >>> On Tue, Jul 3, 2012 at 4:27 AM, Will Riley <[email protected]> wrote: >>> > Hi, >>> > >>> > Right now I'm working on a sandbox library for node.js. I'd most likely >>> > be >>> > using vm.runInNewContext to prevent any unwanted methods (eg >>> > process.kill) >>> > from becoming accessible, and the untrusted code would run in a >>> > different >>> > node process. >>> > >>> > I'm looking into the possibility of enabling code to call a wrapped >>> > 'require()' for loading a restricted set of modules (eg 'crypto' or >>> > 'util'), >>> > or even exposing wrapped versions of 'net' or 'fs' that restrict their >>> > use >>> > to certain paths/addresses. This is mainly for performance reasons, >>> > otherwise I'd do I/O in the main process. >>> > >>> > I'm a bit concerned that somehow, 'process.binding()' is going to >>> > become >>> > accessible to the untrusted code if I expose a module to it. Is this an >>> > irrational concern, or would it be more secure to wrap process.binding >>> > in >>> > the global scope of my sandbox before running the untrusted code? >>> > >>> > Thanks again! >>> >>> The vm module is *not* for running untrusted code. A sandbox != secure >>> jail. >>> >>> We warn about it in the docs but maybe we have to be more explicit >>> about it because questions like yours come up often. >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en > > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
