this may take your interest; http://github.com/azer/onejs
azer On Wed, Jul 11, 2012 at 3:31 PM, Marcel Laverdet <[email protected]> wrote: > "Too robust" is not a thing. This is a problem that is very complex. As > mentioned in later replies by the Caja team and others since node is using a > very modern version of v8 you can run Caja with minimal translations that > are all done in pure-JS. > > With regards to infinite loops you've got another thing on your hands. You > will need to write some C++ code for this, but it's certainly possible to > write a version of vm.runInNextContext() that has a timeout. Alternatively > you could use a node process for each instance, and terminate with a > SIGKILL. > > > On Wed, Jul 11, 2012 at 1:24 PM, Kevin O <[email protected]> wrote: >> >> Thanks for the suggestion. Caja does seem like it's pretty robust but >> maybe more than I need. Plus, I would have to call out to a service every >> time I compile or re-implement the whole thing in node to use it. Neither is >> really an option, unfortunately. >> >> On Wednesday, 11 July 2012 13:17:23 UTC-4, Marcel wrote: >>> >>> Look at Google Caja, this does exactly what you describe. It's a very >>> complicated problem. >>> >>> On Wednesday, July 11, 2012, Angel Java Lopez wrote: >>>> >>>> I presented a project (idea, no code yet) that needs that feature, too. >>>> >>>> Game server (as a service?) that accepts logic code from game tenants. >>>> Another project needs something like this (it's like >>>> https://github.com/ryanb/ruby-warrior/ ) >>>> >>>> So, thanks for the question, and for any answer! >>>> >>>> Angel "Java" Lopez >>>> >>>> On Wed, Jul 11, 2012 at 1:52 PM, Kevin O <[email protected]> wrote: >>>>> >>>>> We are working on an app where we want to give users the ability to >>>>> upload JS scripts to process their data in our app. >>>>> >>>>> Insane, right? :) Well we are going to do it in a sane way or not do >>>>> it at all. We understand the risks. >>>>> >>>>> I want to take raw JS input from the user, generate an AST, >>>>> cleanse/evaluate/mangle it, then "re-compile" to minified JS only when we >>>>> know is safe. If the script is doing unsafe things, we'll return compiler >>>>> errors. Our compiler needs to be able to limit the JS globals to a short >>>>> "whitelist". i.e. stuff like eval() is not available within the script. >>>>> >>>>> Scripts will be run in our node app using vm.runInNewContext(). We will >>>>> pass in a context object with the data that the user will be processing >>>>> with >>>>> their script. >>>>> >>>>> Has anyone done something like this? I have a small bit of code started >>>>> using uglify but am wondering if there are some other projects or design >>>>> ideas I can pluck from before getting to deep into the weeds. >>>>> >>>>> Thanks >>>>> >>>>> Kevin >>>>> >>>>> -- >>>>> Job Board: http://jobs.nodejs.org/ >>>>> Posting guidelines: >>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>> You received this message because you are subscribed to the Google >>>>> Groups "nodejs" group. >>>>> To post to this group, send email to [email protected] >>>>> To unsubscribe from this group, send email to >>>>> [email protected] >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>> >>>> >>>> -- >>>> Job Board: http://jobs.nodejs.org/ >>>> Posting guidelines: >>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>> You received this message because you are subscribed to the Google >>>> Groups "nodejs" group. >>>> To post to this group, send email to [email protected] >>>> To unsubscribe from this group, send email to >>>> [email protected] >>>> For more options, visit this group at >>>> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> >> On Wednesday, 11 July 2012 13:17:23 UTC-4, Marcel wrote: >>> >>> Look at Google Caja, this does exactly what you describe. It's a very >>> complicated problem. >>> >>> On Wednesday, July 11, 2012, Angel Java Lopez wrote: >>>> >>>> I presented a project (idea, no code yet) that needs that feature, too. >>>> >>>> Game server (as a service?) that accepts logic code from game tenants. >>>> Another project needs something like this (it's like >>>> https://github.com/ryanb/ruby-warrior/ ) >>>> >>>> So, thanks for the question, and for any answer! >>>> >>>> Angel "Java" Lopez >>>> >>>> On Wed, Jul 11, 2012 at 1:52 PM, Kevin O <[email protected]> wrote: >>>>> >>>>> We are working on an app where we want to give users the ability to >>>>> upload JS scripts to process their data in our app. >>>>> >>>>> Insane, right? :) Well we are going to do it in a sane way or not do >>>>> it at all. We understand the risks. >>>>> >>>>> I want to take raw JS input from the user, generate an AST, >>>>> cleanse/evaluate/mangle it, then "re-compile" to minified JS only when we >>>>> know is safe. If the script is doing unsafe things, we'll return compiler >>>>> errors. Our compiler needs to be able to limit the JS globals to a short >>>>> "whitelist". i.e. stuff like eval() is not available within the script. >>>>> >>>>> Scripts will be run in our node app using vm.runInNewContext(). We will >>>>> pass in a context object with the data that the user will be processing >>>>> with >>>>> their script. >>>>> >>>>> Has anyone done something like this? I have a small bit of code started >>>>> using uglify but am wondering if there are some other projects or design >>>>> ideas I can pluck from before getting to deep into the weeds. >>>>> >>>>> Thanks >>>>> >>>>> Kevin >>>>> >>>>> -- >>>>> Job Board: http://jobs.nodejs.org/ >>>>> Posting guidelines: >>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>> You received this message because you are subscribed to the Google >>>>> Groups "nodejs" group. >>>>> To post to this group, send email to [email protected] >>>>> To unsubscribe from this group, send email to >>>>> [email protected] >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>> >>>> >>>> -- >>>> Job Board: http://jobs.nodejs.org/ >>>> Posting guidelines: >>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>> You received this message because you are subscribed to the Google >>>> Groups "nodejs" group. >>>> To post to this group, send email to [email protected] >>>> To unsubscribe from this group, send email to >>>> [email protected] >>>> For more options, visit this group at >>>> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en > > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
