safely sandbox and execute user submitted javascript

safely sandbox and execute user submitted javascript  using -'javascript,node.js,eval,sandbox,sanitize'

I would like to have the ability to let users submit arbitrary JavaScript code, which is then sent to a Node.JS server and safely executed before the output is sent back to multiple clients (as JSON). The eval function comes to mind, but I know this has multiple security concerns (the user submitted code would be able to access Node's File API, etc). I have seen some projects like Microsoft Web Sandbox and Google Caja which allow execution of sanitized markup and script (for embedding third-party ads on websites), but it seems that these are client-side tools and I'm not sure if they can be safely used within Node.

Is there a standard way to sandbox and execute non-trusted JavaScript in Node, getting the output. Is it a mistake to try and do this server-side?

EDIT: It's not important that the user be able to leverage the full capabilities of JavaScript, in fact it would be preferable to be able to pick and choose which APIs would be provided to the user code.

EDIT: I am going to go ahead and update with what I found. This Sandcastle module (bcoe/sandcastle) seems to aim to do what I have in mind. Not sure how secure it is, but since I this is not for anything too important I think I'll if try it. I'll add my own answer if I'm able to successfully do this.

asked Sep 18, 2015 by badhwar.rohit
0 votes

3 Answers

0 votes

This answer is outdated as gf3 does not provide protection against sandbox breaking - it uses require('child_process') instead of require('vm').

answered Sep 18, 2015 by nimisha.jagtap
0 votes

Under Node.js you may create a sandboxed child process, but you also need to append the code with "use strict";, otherwise it is possible to break the sandbox with arguments.callee.caller.

Not sure why you need to send it to the server, because the code may also be executed in a sandboxed web-worker.

Also take a look at my Jailed library which simplifies everything just mentioned for both Node.js and web-browser, and additionally provides an opportunity to export a set of functions into the sandbox.

answered Sep 18, 2015 by mca.agarwal
0 votes

You can use sandbox support in nodejs with vm.runInContext('js code', context), sample in api documentation:

answered Sep 18, 2015 by balvant maurya