如何限制节点repl实例，以便它们不能访问全局范围？ [英] How do I limit node repl instances so they cannot access global scope?

问题描述

当您在代码中创建新的repl实例时，它会自动访问全局范围内的任何内容。您可以修改repl上下文以在本地作用域中公开一些自定义变量，以便repl可以访问它们，但我没有看到一种简单的方法来消除对全局作用域的访问。我希望我可以给repl一个新的空白全局范围。

以下是一个示例repl实例：

  var repl = require（'repl'），
 msg =Hello world！; 
 repl.start（'>'）.context.msg = msg; 
  

在该repl中，我输入了以下内容：

  for（var key in global）{
 console.log（key）; 
} 
  

其中包含以下列表：

• ArrayBuffer


• Int8Array


• Uint8Array


• Uint8ClampedArray


• Int16Array


• Uint16Array


• Int32Array


• Uint32Array
li>

• Float32Array


• Float64Array


• DataView


• DTRACE_NET_SERVER_CONNECTION


• DTRACE_NET_STREAM_END


• DTRACE_NET_SOCKET_READ


• DTRACE_NET_SOCKET_WRITE
  
• DTRACE_HTTP_SERVER_REQUEST


• DTRACE_HTTP_SERVER_RESPONSE


• DTRACE_HTTP_CLIENT_REQUEST


• DTRACE_HTTP_CLIENT_RESPONSE


• COUNTER_NET_SERVER_CONNECTION
  
• COUNTER_NET_SERVER_CONNECTION_CLOSE


• COUNTER_HTTP_SERVER_REQUEST


• COUNTER_HTTP_SERVER_RESPONSE


• COUNTER_HTTP_CLIENT_REQUEST
> COUNTER_HTTP_CLIENT_RESPONSE

• 全球


• p


• 
  
• GLOBAL


• / li>
  
• setInterval


• clearTimeout


• clearInterval


• setImmediate


• clearImmediate


• 控制台


• 模块


• b $ b
• msg


• _


• 键

你可以看到我们的 msg 变量被添加进去了，这很好，但是有很多我不想公开的全局变量。我想公开一些不那么有害的东西，比如 setTimeout ， console 等，但绝对不是像 require ， process 等等。有没有人知道如何在不产生全新的子进程的情况下克服这个问题？我不知道这是否是最好的解决方案，但我设法做到了这一点。 repl 的上下文对象是全局对象。它只是自动从全局增加。这意味着你可以遍历它上面的属性并删除那些你不感兴趣的属性。

https://gist.github.com/Chevex/7000130

  //确定数组是否包含特定值的函数。 
函数包含（array，value）{
 for（var i = 0; i< array.length; i ++）{
 if（array [i] === value）返回true ; 
} 
返回false; 
} 
 
 var repl = require（'repl'），
 newRepl = repl.start（'>'）; 
 $ b var allowedGlobals = ['ArrayBuffer'，'Int8Array'，'Uint8Array'，'Uint8ClampedArray'，'Int16Array'，'Uint16Array'，'Int32Array'，
'Uint32Array'，'Float32Array '，'Float64Array'，'DataView'，'Buffer'，'setTimeout'，'setInterval'，
'clearTimeout'，'clearInterval'，'console'，'_']; 
 
 for（var key in newRepl.context）{
 if（！contains（allowedGlobals，key））{
 delete newRepl.context [key]; 
 
 
 $ / code $ / pre 
 
 
这是一种烦人的不得不维护一个字符串数组我想允许的全局变量，但至少这个白名单列出它们。如果节点更新并向全局范围添加了新内容，它将不会公开，直到我明确将其添加到列表中。
 
 
 
如果您还需要白名单repl命令或消除repl对节点核心模块的访问，然后查看这个问题。
 
When you create a new repl instance in code it automatically has access to anything in global scope. You can modify the repl context to expose some custom variables in local scope so that the repl can access them, but I don't see an easy way to eliminate access to the global scope. I wish I could just give the repl a new blank global scope.

Here is an example repl instance:
var repl = require('repl'),
    msg = "Hello world!";
repl.start('> ').context.msg = msg;
In that repl I typed out the following:
for (var key in global) {
    console.log(key);
}
Which resulted in the following list:


ArrayBuffer
Int8Array
Uint8Array
Uint8ClampedArray
Int16Array
Uint16Array
Int32Array
Uint32Array
Float32Array
Float64Array
DataView
DTRACE_NET_SERVER_CONNECTION
DTRACE_NET_STREAM_END
DTRACE_NET_SOCKET_READ
DTRACE_NET_SOCKET_WRITE
DTRACE_HTTP_SERVER_REQUEST
DTRACE_HTTP_SERVER_RESPONSE
DTRACE_HTTP_CLIENT_REQUEST
DTRACE_HTTP_CLIENT_RESPONSE
COUNTER_NET_SERVER_CONNECTION
COUNTER_NET_SERVER_CONNECTION_CLOSE
COUNTER_HTTP_SERVER_REQUEST
COUNTER_HTTP_SERVER_RESPONSE
COUNTER_HTTP_CLIENT_REQUEST
COUNTER_HTTP_CLIENT_RESPONSE
global
process
GLOBAL
root
Buffer
setTimeout
setInterval
clearTimeout
clearInterval
setImmediate
clearImmediate
console
module
require
msg
_
key


You can see that our msg variable was added in there, which is great, but there are many global variables I do not want to expose. I want to expose some of the less harmful ones, such as setTimeout, console, etc, but definitely not things like require, process, etc. Does anyone know how I might overcome this without spawning a totally new child process?
解决方案
I don't know if this is the best solution but I did manage to accomplish this. The context object for the repl is the global object. It's just automatically augmented with everything from global. This means you can iterate over the properties on it and remove the ones you are not interested in.

https://gist.github.com/Chevex/7000130
// Function to determine if an array contains a specific value.
function contains(array, value) {
    for(var i = 0; i < array.length; i++) {
        if(array[i] === value) return true;
    }
    return false;
}

var repl = require('repl'),
    newRepl = repl.start('> ');

var allowedGlobals = ['ArrayBuffer', 'Int8Array', 'Uint8Array', 'Uint8ClampedArray', 'Int16Array', 'Uint16Array', 'Int32Array',
    'Uint32Array', 'Float32Array', 'Float64Array', 'DataView', 'Buffer', 'setTimeout', 'setInterval',
    'clearTimeout', 'clearInterval', 'console', '_'];

for (var key in newRepl.context) {
    if (!contains(allowedGlobals, key)) {
        delete newRepl.context[key];
    }
}
It's kind of annoying having to maintain a string array of global variables I want to allow, but at least this white-lists them. If node updates and adds something new to the global scope it won't be exposed until I explicitly add it to the list.

If you need to also white-list repl commands or eliminate the repl's access to node core modules then see this question.

                        
这篇关于如何限制节点repl实例，以便它们不能访问全局范围？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！