Re: [nodejs] Sandboxing using 'vm' module & wrapping require()/process.binding()
309 views
Skip to first unread message
Ben Noordhuis
Jul 2, 2012, 10:53:26 PM7/2/12
to nod...@googlegroups.com
On Tue, Jul 3, 2012 at 4:27 AM, Will Riley <hapti...@gmail.com> wrote:
> Hi,
>
> Right now I'm working on a sandbox library for node.js. I'd most likely be
> using vm.runInNewContext to prevent any unwanted methods (eg process.kill)
> from becoming accessible, and the untrusted code would run in a different
> node process.
>
> I'm looking into the possibility of enabling code to call a wrapped
> 'require()' for loading a restricted set of modules (eg 'crypto' or 'util'),
> or even exposing wrapped versions of 'net' or 'fs' that restrict their use
> to certain paths/addresses. This is mainly for performance reasons,
> otherwise I'd do I/O in the main process.
>
> I'm a bit concerned that somehow, 'process.binding()' is going to become
> accessible to the untrusted code if I expose a module to it. Is this an
> irrational concern, or would it be more secure to wrap process.binding in
> the global scope of my sandbox before running the untrusted code?
>
> Thanks again!
The vm module is *not* for running untrusted code. A sandbox != secure jail.
We warn about it in the docs but maybe we have to be more explicit
about it because questions like yours come up often.
> Hi,
>
> Right now I'm working on a sandbox library for node.js. I'd most likely be
> using vm.runInNewContext to prevent any unwanted methods (eg process.kill)
> from becoming accessible, and the untrusted code would run in a different
> node process.
>
> I'm looking into the possibility of enabling code to call a wrapped
> 'require()' for loading a restricted set of modules (eg 'crypto' or 'util'),
> or even exposing wrapped versions of 'net' or 'fs' that restrict their use
> to certain paths/addresses. This is mainly for performance reasons,
> otherwise I'd do I/O in the main process.
>
> I'm a bit concerned that somehow, 'process.binding()' is going to become
> accessible to the untrusted code if I expose a module to it. Is this an
> irrational concern, or would it be more secure to wrap process.binding in
> the global scope of my sandbox before running the untrusted code?
>
> Thanks again!
The vm module is *not* for running untrusted code. A sandbox != secure jail.
We warn about it in the docs but maybe we have to be more explicit
about it because questions like yours come up often.
Will Riley
Jul 2, 2012, 11:16:00 PM7/2/12
to nod...@googlegroups.com
Ah, I see. I saw in the docs that it says "safely running untrusted code
requires a separate process", but could you elaborate on that? Would it be better to use vanilla v8 for something like this?
Fedor Indutny
Jul 2, 2012, 11:20:42 PM7/2/12
to nod...@googlegroups.com
Well, you may use separate node process, but you should run in in chroot or jail if you want a real safity here.
Cheers,
Cheers,
Fedor.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
Azer Koçulu
Jul 2, 2012, 11:38:47 PM7/2/12
to nod...@googlegroups.com
Hi,
OneJS (http://github.com/azer/onejs) aims to do a very similar job by
bundling. It wraps all the modules in your project and provides them
custom implementations of global NodeJS functions & objects (require,
process, console etc..);
https://github.com/azer/onejs/blob/master/templates/module.js#L6
Right now its NodeJS emulation is not enough for your purpose. It
needs better process implementation and the emulations of the core
libraries that need to be inside of sandbox.
Best,
Azer
OneJS (http://github.com/azer/onejs) aims to do a very similar job by
bundling. It wraps all the modules in your project and provides them
custom implementations of global NodeJS functions & objects (require,
process, console etc..);
https://github.com/azer/onejs/blob/master/templates/module.js#L6
Right now its NodeJS emulation is not enough for your purpose. It
needs better process implementation and the emulations of the core
libraries that need to be inside of sandbox.
Best,
Azer
Rehan Iftikhar
Jul 3, 2012, 1:26:37 AM7/3/12
to nod...@googlegroups.com
This is a talk from 2012 RubyConfIndia where two guys talk about sandboxing Ruby on the server: http://www.youtube.com/watch?v=ntIzf9onRqA
Some of the stuff is Ruby specific, but there is a lot of good Linux stuff in there too.
Cheers,Fedor.
Marcel Laverdet
Jul 3, 2012, 1:50:26 AM7/3/12
to nod...@googlegroups.com
With all do respect you are in over your head :)
If you want to take a stab at this for real take a peek at google-caja
On Mon, Jul 2, 2012 at 9:27 PM, Will Riley <hapti...@gmail.com> wrote:
Hi,
Right now I'm working on a sandbox library for node.js. I'd most likely be using vm.runInNewContext to prevent any unwanted methods (eg process.kill) from becoming accessible, and the untrusted code would run in a different node process.
I'm looking into the possibility of enabling code to call a wrapped 'require()' for loading a restricted set of modules (eg 'crypto' or 'util'), or even exposing wrapped versions of 'net' or 'fs' that restrict their use to certain paths/addresses. This is mainly for performance reasons, otherwise I'd do I/O in the main process.
I'm a bit concerned that somehow, 'process.binding()' is going to become accessible to the untrusted code if I expose a module to it. Is this an irrational concern, or would it be more secure to wrap process.binding in the global scope of my sandbox before running the untrusted code?
Thanks again!
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
Reply all
Reply to author
Forward
0 new messages