0

I have a node server, I'm getting a string from the users which is to be executed on a data.

So i decided to use eval. The problem is, any one can insert a right string which will enable access to my database. How do I prevent.

I know, I can check the string for required() and some other stuff, but what I want is to sandbox the whole this. I should have access to only the variables which I supply to the function in which the eval is.

Dushyant Bangal
  • 5,730
  • 5
  • 37
  • 72
  • https://github.com/asvd/jailed -- http://stackoverflow.com/questions/10937870/how-to-run-untrusted-code-serverside -- https://nodejs.org/api/vm.html#vm_script_runincontext_contextifiedsandbox_options – apsillers May 12 '16 at 13:41
  • Note that checking for the string `require` is a bad idea -- you will never be able to detect `global["req"+"uire"]`, etc. – apsillers May 12 '16 at 13:43

0 Answers0