"Too robust" is not a thing. This is a problem that is very complex. As mentioned in later replies by the Caja team and others since node is using a very modern version of v8 you can run Caja with minimal translations that are all done in pure-JS.
With regards to infinite loops you've got another thing on your hands. You will need to write some C++ code for this, but it's certainly possible to write a version of vm.runInNextContext() that has a timeout. Alternatively you could use a node process for each instance, and terminate with a SIGKILL. On Wed, Jul 11, 2012 at 1:24 PM, Kevin O <[email protected]> wrote: > Thanks for the suggestion. Caja does seem like it's pretty robust but > maybe more than I need. Plus, I would have to call out to a service every > time I compile or re-implement the whole thing in node to use it. Neither > is really an option, unfortunately. > > On Wednesday, 11 July 2012 13:17:23 UTC-4, Marcel wrote: >> >> Look at Google Caja, this does exactly what you describe. It's a very >> complicated problem. >> >> On Wednesday, July 11, 2012, Angel Java Lopez wrote: >> >>> I presented a project (idea, no code yet) that needs that feature, too. >>> >>> Game server (as a service?) that accepts logic code from game tenants. >>> Another project needs something like this (it's like >>> https://github.com/ryanb/ruby-**warrior/<https://github.com/ryanb/ruby-warrior/> >>> ) >>> >>> So, thanks for the question, and for any answer! >>> >>> Angel "Java" Lopez >>> >>> On Wed, Jul 11, 2012 at 1:52 PM, Kevin O <[email protected]> wrote: >>> >>>> We are working on an app where we want to give users the ability to >>>> upload JS scripts to process their data in our app. >>>> >>>> Insane, right? :) Well we are going to do it in a sane way or not do >>>> it at all. We understand the risks. >>>> >>>> I want to take raw JS input from the user, generate an AST, >>>> cleanse/evaluate/mangle it, then "re-compile" to minified JS *only*when we >>>> know is safe. If the script is doing unsafe things, we'll return >>>> compiler errors. Our compiler needs to be able to limit the JS globals to a >>>> short "whitelist". i.e. stuff like eval() is not available within the >>>> script. >>>> >>>> Scripts will be run in our node app using vm.runInNewContext(). We will >>>> pass in a context object with the data that the user will be processing >>>> with their script. >>>> >>>> Has anyone done something like this? I have a small bit of code started >>>> using uglify but am wondering if there are some other projects or design >>>> ideas I can pluck from before getting to deep into the weeds. >>>> >>>> Thanks >>>> >>>> Kevin >>>> >>>> -- >>>> Job Board: http://jobs.nodejs.org/ >>>> Posting guidelines: https://github.com/joyent/**node/wiki/Mailing-List- >>>> **Posting-Guidelines<https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines> >>>> You received this message because you are subscribed to the Google >>>> Groups "nodejs" group. >>>> To post to this group, send email to [email protected] >>>> To unsubscribe from this group, send email to >>>> nodejs+unsubscribe@**googlegroups.com >>>> For more options, visit this group at >>>> http://groups.google.com/**group/nodejs?hl=en?hl=en<http://groups.google.com/group/nodejs?hl=en?hl=en> >>>> >>> >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: https://github.com/joyent/**node/wiki/Mailing-List-* >>> *Posting-Guidelines<https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines> >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> nodejs+unsubscribe@**googlegroups.com >>> For more options, visit this group at >>> http://groups.google.com/**group/nodejs?hl=en?hl=en<http://groups.google.com/group/nodejs?hl=en?hl=en> >>> >> > On Wednesday, 11 July 2012 13:17:23 UTC-4, Marcel wrote: >> >> Look at Google Caja, this does exactly what you describe. It's a very >> complicated problem. >> >> On Wednesday, July 11, 2012, Angel Java Lopez wrote: >> >>> I presented a project (idea, no code yet) that needs that feature, too. >>> >>> Game server (as a service?) that accepts logic code from game tenants. >>> Another project needs something like this (it's like >>> https://github.com/ryanb/ruby-**warrior/<https://github.com/ryanb/ruby-warrior/> >>> ) >>> >>> So, thanks for the question, and for any answer! >>> >>> Angel "Java" Lopez >>> >>> On Wed, Jul 11, 2012 at 1:52 PM, Kevin O <[email protected]> wrote: >>> >>>> We are working on an app where we want to give users the ability to >>>> upload JS scripts to process their data in our app. >>>> >>>> Insane, right? :) Well we are going to do it in a sane way or not do >>>> it at all. We understand the risks. >>>> >>>> I want to take raw JS input from the user, generate an AST, >>>> cleanse/evaluate/mangle it, then "re-compile" to minified JS *only*when we >>>> know is safe. If the script is doing unsafe things, we'll return >>>> compiler errors. Our compiler needs to be able to limit the JS globals to a >>>> short "whitelist". i.e. stuff like eval() is not available within the >>>> script. >>>> >>>> Scripts will be run in our node app using vm.runInNewContext(). We will >>>> pass in a context object with the data that the user will be processing >>>> with their script. >>>> >>>> Has anyone done something like this? I have a small bit of code started >>>> using uglify but am wondering if there are some other projects or design >>>> ideas I can pluck from before getting to deep into the weeds. >>>> >>>> Thanks >>>> >>>> Kevin >>>> >>>> -- >>>> Job Board: http://jobs.nodejs.org/ >>>> Posting guidelines: https://github.com/joyent/**node/wiki/Mailing-List- >>>> **Posting-Guidelines<https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines> >>>> You received this message because you are subscribed to the Google >>>> Groups "nodejs" group. >>>> To post to this group, send email to [email protected] >>>> To unsubscribe from this group, send email to >>>> nodejs+unsubscribe@**googlegroups.com >>>> For more options, visit this group at >>>> http://groups.google.com/**group/nodejs?hl=en?hl=en<http://groups.google.com/group/nodejs?hl=en?hl=en> >>>> >>> >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: https://github.com/joyent/**node/wiki/Mailing-List-* >>> *Posting-Guidelines<https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines> >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> nodejs+unsubscribe@**googlegroups.com >>> For more options, visit this group at >>> http://groups.google.com/**group/nodejs?hl=en?hl=en<http://groups.google.com/group/nodejs?hl=en?hl=en> >>> >> -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
