7

I'm a complete Node noob, so I apologize if this question has an obvious answer.

I'm looking to create a web app that will run plugins from untrusted sources (i.e. community submissions). So I need to lock down those plugins into a sandbox where only certain access is allowed (can't write to disk, etc.). Ideally, the plugin would only be able to use certain approved node packages and APIs.

Is this possible in Node? If so, can you point me toward a package or documentation that will get me started?

RationalGeek
  • 9,055
  • 11
  • 60
  • 90
  • There is a module called "node-sandbox" on github. It basically runs untrusted code in another process. This is very barebone IMO but it can do the job. I usually read the code really fast when I download a new module from github to find weird irregularities and never found a single one. I know this is not the best since the code changes between updates but I guess we have to trust people at some point. – Jean-Philippe Leclerc Apr 25 '13 at 14:55
  • Well I can't leave it to trust in my case, because I'll be accepting code "automatically" as plugins. So I need to protect the core app from hostile / poorly-written plugins. I will take a look at node-sandbox. – RationalGeek Apr 25 '13 at 17:31
  • Does this answer your question? [How to run untrusted code serverside?](https://stackoverflow.com/questions/10937870/how-to-run-untrusted-code-serverside) – Jerska Mar 27 '20 at 10:40

2 Answers2

3

Here is a small list of projects that can help you:

I suggest the first one (sandbox) since it's more mature.

bb216b3acfd8f72cbc8f899d4d6963
  • 663
  • 13
  • 21
rafaelcastrocouto
  • 11,128
  • 2
  • 37
  • 60
1

I would also contribute to the list with my library: https://github.com/asvd/jailed. In addition to the sandboxing of the untrusted code (in a restricted subprocess), it gives an opportunity to export any set of functions inside the sandbox thus defining a custom API for the sandboxed code.

asvd
  • 854
  • 10
  • 16