Bad news about contextify. While it looks pretty good, it will not stand the "caller-attack" test. You can check out the results here:
https://gist.github.com/4557432 Basically, you can gain access to require (or any other global variable) if used this way. I thought about wrapping the call to run in some other function like setTimeout, process.nextTick, however I can still gain access to these which are still dangerous. Thoughts? Suggestions? Thanks, Gustavo Machado On Thu, Jan 17, 2013 at 11:30 AM, Gustavo Machado <[email protected]>wrote: > Looks like "contextify" is what we need. I'll have to test for caller > attacks, but it looks like it will work. > > Thanks, > Gustavo Machado > > > > On Jan 16, 2013, at 9:08 PM, Berger Kennedy FOTSO <[email protected]> > wrote: > > https://npmjs.org/package/contextify > > or maybe > https://npmjs.org/package/node-sandbox > > > > 2013/1/16 Diogo Resende <[email protected]> > >> I would try a parser like uglify to detect if require() is called in the >> code. If not I would accept the "script". You could check more things but >> that is the most important. >> >> Then I would just run the code inside vm module. >> >> -- >> Diogo Resende >> >> On Wednesday, January 16, 2013 at 21:24 , Gustavo Machado wrote: >> >> Hello, >> >> We are building a platform that is oriented to developers in node.js, and >> we are in the process of evaluating giving our users the ability to >> configure validation and authorisation rules in Javascript. >> >> On virtually every request, these validation rules are going to be >> executed, so it needs to be somewhat performant, but most importantly >> "safe". And by safe I mean: >> >> - no require-ing >> - no access to global >> - any kind of attack that may give access to the local system (files, >> network, etc) >> >> So far, we found the "sandbox" module: >> https://github.com/gf3/sandbox/blob/master/example/example.js but are >> looking for some other choices. >> >> Thanks, >> Gustavo Machado >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> > > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
