Looks like "contextify" is what we need. I'll have to test for caller attacks, but it looks like it will work.
Thanks, Gustavo Machado On Jan 16, 2013, at 9:08 PM, Berger Kennedy FOTSO <[email protected]> wrote: > https://npmjs.org/package/contextify > > or maybe > https://npmjs.org/package/node-sandbox > > > > 2013/1/16 Diogo Resende <[email protected]> > I would try a parser like uglify to detect if require() is called in the > code. If not I would accept the "script". You could check more things but > that is the most important. > > Then I would just run the code inside vm module. > > -- > Diogo Resende > > On Wednesday, January 16, 2013 at 21:24 , Gustavo Machado wrote: > >> Hello, >> >> We are building a platform that is oriented to developers in node.js, and we >> are in the process of evaluating giving our users the ability to configure >> validation and authorisation rules in Javascript. >> >> On virtually every request, these validation rules are going to be executed, >> so it needs to be somewhat performant, but most importantly "safe". And by >> safe I mean: >> >> - no require-ing >> - no access to global >> - any kind of attack that may give access to the local system (files, >> network, etc) >> >> So far, we found the "sandbox" module: >> https://github.com/gf3/sandbox/blob/master/example/example.js but are >> looking for some other choices. >> >> Thanks, >> Gustavo Machado >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en > > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
