Thanks for the suggestion. Caja does seem like it's pretty robust but maybe more than I need. Plus, I would have to call out to a service every time I compile or re-implement the whole thing in node to use it. Neither is really an option, unfortunately.
On Wednesday, 11 July 2012 13:17:23 UTC-4, Marcel wrote: > > Look at Google Caja, this does exactly what you describe. It's a very > complicated problem. > > On Wednesday, July 11, 2012, Angel Java Lopez wrote: > >> I presented a project (idea, no code yet) that needs that feature, too. >> >> Game server (as a service?) that accepts logic code from game tenants. >> Another project needs something like this (it's like >> https://github.com/ryanb/ruby-warrior/ ) >> >> So, thanks for the question, and for any answer! >> >> Angel "Java" Lopez >> >> On Wed, Jul 11, 2012 at 1:52 PM, Kevin O <[email protected]> wrote: >> >>> We are working on an app where we want to give users the ability to >>> upload JS scripts to process their data in our app. >>> >>> Insane, right? :) Well we are going to do it in a sane way or not do it >>> at all. We understand the risks. >>> >>> I want to take raw JS input from the user, generate an AST, >>> cleanse/evaluate/mangle it, then "re-compile" to minified JS *only*when we >>> know is safe. If the script is doing unsafe things, we'll return >>> compiler errors. Our compiler needs to be able to limit the JS globals to a >>> short "whitelist". i.e. stuff like eval() is not available within the >>> script. >>> >>> Scripts will be run in our node app using vm.runInNewContext(). We will >>> pass in a context object with the data that the user will be processing >>> with their script. >>> >>> Has anyone done something like this? I have a small bit of code started >>> using uglify but am wondering if there are some other projects or design >>> ideas I can pluck from before getting to deep into the weeds. >>> >>> Thanks >>> >>> Kevin >>> >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: >>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nodejs?hl=en?hl=en >>> >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> > On Wednesday, 11 July 2012 13:17:23 UTC-4, Marcel wrote: > > Look at Google Caja, this does exactly what you describe. It's a very > complicated problem. > > On Wednesday, July 11, 2012, Angel Java Lopez wrote: > >> I presented a project (idea, no code yet) that needs that feature, too. >> >> Game server (as a service?) that accepts logic code from game tenants. >> Another project needs something like this (it's like >> https://github.com/ryanb/ruby-warrior/ ) >> >> So, thanks for the question, and for any answer! >> >> Angel "Java" Lopez >> >> On Wed, Jul 11, 2012 at 1:52 PM, Kevin O <[email protected]> wrote: >> >>> We are working on an app where we want to give users the ability to >>> upload JS scripts to process their data in our app. >>> >>> Insane, right? :) Well we are going to do it in a sane way or not do it >>> at all. We understand the risks. >>> >>> I want to take raw JS input from the user, generate an AST, >>> cleanse/evaluate/mangle it, then "re-compile" to minified JS *only*when we >>> know is safe. If the script is doing unsafe things, we'll return >>> compiler errors. Our compiler needs to be able to limit the JS globals to a >>> short "whitelist". i.e. stuff like eval() is not available within the >>> script. >>> >>> Scripts will be run in our node app using vm.runInNewContext(). We will >>> pass in a context object with the data that the user will be processing >>> with their script. >>> >>> Has anyone done something like this? I have a small bit of code started >>> using uglify but am wondering if there are some other projects or design >>> ideas I can pluck from before getting to deep into the weeds. >>> >>> Thanks >>> >>> Kevin >>> >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: >>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nodejs?hl=en?hl=en >>> >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
