安全沙箱并执行用户提交的JavaScript? [英] Safely sandbox and execute user submitted JavaScript?
问题描述
我希望能够让用户提交任意JavaScript代码,然后将其发送到Node.JS服务器,并在输出发送回多个客户端(作为JSON)之前安全执行。想到了 eval 函数,但我知道这有多个安全问题(用户提交的代码将能够访问Node的File API等)。我见过一些项目,如Microsoft Web Sandbox和Google Caja,它们允许执行清理标记和脚本(用于在网站上嵌入第三方广告),但似乎这些是客户端工具,我不确定它们是否可以在Node中安全使用。
I would like to have the ability to let users submit arbitrary JavaScript code, which is then sent to a Node.JS server and safely executed before the output is sent back to multiple clients (as JSON). The eval function comes to mind, but I know this has multiple security concerns (the user submitted code would be able to access Node's File API, etc). I have seen some projects like Microsoft Web Sandbox and Google Caja which allow execution of sanitized markup and script (for embedding third-party ads on websites), but it seems that these are client-side tools and I'm not sure if they can be safely used within Node.
是否有一种标准方法可以在Node中沙箱并执行不受信任的JavaScript,从而获得输出。尝试做这个服务器端是错误的吗?
Is there a standard way to sandbox and execute non-trusted JavaScript in Node, getting the output. Is it a mistake to try and do this server-side?
编辑:用户能够利用全部功能并不重要事实上,最好是能够选择将哪些API提供给用户代码。
It's not important that the user be able to leverage the full capabilities of JavaScript, in fact it would be preferable to be able to pick and choose which APIs would be provided to the user code.
编辑:我将继续使用我发现的内容进行更新。此Sandcastle模块( bcoe / sandcastle )似乎旨在做我想到的。不确定它有多安全,但由于我不是太重要,我想如果尝试的话。如果我能成功地做到这一点,我会添加自己的答案。
I am going to go ahead and update with what I found. This Sandcastle module (bcoe/sandcastle) seems to aim to do what I have in mind. Not sure how secure it is, but since I this is not for anything too important I think I'll if try it. I'll add my own answer if I'm able to successfully do this.
推荐答案
这个答案已经过时了gf3不提供防止沙箱破坏的保护
http://gf3.github.io/sandbox/ - 它使用 require('child_process')而不是 require(' vm')。
http://gf3.github.io/sandbox/ - it uses require('child_process') instead of require('vm').
这篇关于安全沙箱并执行用户提交的JavaScript?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
