如何限制节点代表对内部节点模块的访问? [英] How do I limit the node repl's access to internal node modules?
问题描述
在一个上一个问题中,我弄清楚了如何从repl上下文中消除不需要的全局变量.但是,我发现repl可以自动访问所有内部节点模块,而无需使用require
.我不知道如何禁用此功能.我什至尝试覆盖repl本身中的模块变量,但这是行不通的.
In a previous question I figured out how to eliminate unwanted global variables from the repl context. However, I figured out that the repl automatically has access to ALL internal node modules without the use of require
. I have no idea how to disable this. I even tried overriding the module variables in the repl itself and it doesn't work.
> fs ="test";
> fs
> fs = "test";
> fs
它仍然显示fs
原始值.这是非常不幸的,因为我正试图公开公开代表,但它使他们可以访问整个服务器.
It still displays fs
original value. This is very unfortunate because I'm trying to expose a public repl but it gives them access to the entire server.
有什么想法吗?
推荐答案
As you said, the REPL has access to core modules.
(但是,经过检查后,我可以用节点0.10.20覆盖它们,因此应该有解决方案)
(however, after checking, I am able to override them with node 0.10.20, so there should be a solution)
> fs
> { Stats: [Function], …
> fs = 'hello';
> fs
'hello'
更好的方法是在创建repl实例之前覆盖repl._builtinLibs
.
A better way would be to just override repl._builtinLibs
before creating a repl instance.
var repl = require('repl');
repl._builtinLibs = [];
repl.start('> ');
此外,如果您不想公开.save
或.load
之类的命令,将白名单repl命令列为白名单也很简单.
Also, it's fairly trivial to white-list repl commands if you don't want to expose commands like .save
or .load
.
var allowedReplCmds = ['.break', '.clear', '.help'];
var newRepl = repl.start('> ');
for (var key in newRepl.commands)
if (!allowedReplCmds.contains(key))
delete replInstance.commands[key];
注意:数组通常没有contains
方法,因此我添加了一个.
Note: Arrays don't normally have a contains
method so I added one.
Array.prototype.contains = function(v) {
for(var i = 0; i < this.length; i++) {
if(this[i] === v) return true;
}
return false;
};
如果要从repl实例的全局范围中删除变量,请参见此问题.
If you want to remove variables from the repl instance's global scope see this question.
请注意,向公众公开REPL是非常不安全的.
您可以轻松使整个服务器崩溃
> setTimeout(function () { throw 'bye bye!'; }, 0);
REPL不会捕获异步回调中发生的错误,并会降低node.js实例.
Errors that happen in async callbacks are not caught by the REPL and bring down the node.js instance.
您可以阻止服务器
> while(true) {};
您最好的选择是使用child_process,readline和vm在单独的进程中编写自己的REPL.这是一个起点:
Your best bet would be to code your own REPL in a separate process with child_process, readline and vm. Here's a starting point:
主人:
// master.js
var fork = require('child_process').fork;
// functions exposed to the repl
var replApi = {
hello: function () {
return 'world!';
},
unknown: function () {
return 'unknown';
}
};
function forkRepl() {
var repl = fork('./child_repl');
repl.on('message', function (command) {
var fun = replApi[command] || replApi.unknown;
repl.send(fun());
});
// restart the repl if it dies
repl.on('exit', forkRepl);
}
forkRepl();
以及用于repl的单独过程:
and the separate process for the repl:
// child_repl.js
var readline = require('readline'),
vm = require('vm');
var context = vm.createContext({
hello: function () {
process.send('hello');
}
});
var rl = readline.createInterface({
input: process.stdin,
output: process.stdout
});
rl.on('line', function (line) {
vm.runInContext(line, context, 'repl.vm');
});
process.on('message', function (message) {
console.log('master:', message);
});
rl.prompt();
这篇关于如何限制节点代表对内部节点模块的访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!