Comments (9)
Hi!
Thanks for all these observations, gonna check them all tomorrow.
from compiler-util.
Hi!
- This really resolved to the global object (window), because the functions were in global space. Fixed it with your suggestion:
code.call(sandboxProxy, sandboxProxy)
. Now this inside sandboxed code points to the sandbox. Do you think it would make more sense to set it to null? - I am checking the typos.
- I am not sure I understand this one. There are two parts here: the sandbox object (secure, completely controlled by the owner) and the code string (can be injected). If a developer does crazy stuff in the sandbox (like exposing global inside getters) it's his/her own fault. If the sandbox itself doesn't expose globals but the code string can somehow get access to them, then it's the fault of nx-compile. Or did you mean creating objects with getters inside the code string?
Thx for all the feedback!
from compiler-util.
i dont know, it probably doesnt matter, as long as its sandboxed.
Regarding 3.
- i'm also not so sure and just guessing from a gut feeling, but:
- What would happen if somebody would define a
has
and aget
function inside the source code that will be put into the sandbox, so that they maybe affect your designedhas
andget
functions by somehow shadowing the - so that when they are supposed to be called and prevent access to the global object, the ones defined in the source allow the access to the global object instead.
...maybe this wouldnt work, but maybe it would?
from compiler-util.
Oh, I got it.
It won't cause issues. has
and get
are both part of the Proxy. Firstly I don't think they are actually added as properties to the Proxy
object. Secondly it is not possible to figure this out, since even if they are added as properties Proxies are transparent. Meaning that if you have const proxy = new Proxy(obj, {get, has})
and try to do proxy.get
, it will always look for get
inside obj
instead of proxy
.
This is the theory, I also tested it quickly to make sure. I think I will include a test for this case to make it clear.
(Side note: if you are interested, someone else found another issue that I am currently struggling with: https://www.reddit.com/r/javascript/comments/4xz2n8/writing_a_javascript_framework_sandboxed_code/)
from compiler-util.
This fix is on master with documentation and test coverage. I will close this issue now.
from compiler-util.
I wasn't thinking about proxy.get
or obj.get
(or .has
) ...
What if the source code defines a function has () { return false}
... will they maybe be called when proxy.has
is used to look up stuff instead of
function has (target, key) {
if (isAllowedGlobal(key)) {
return Reflect.has(target, key)
}
return true
}
from compiler-util.
Nope, there is no way to access or overwrite the Proxy traps (has and get) from inside the code.
from compiler-util.
ok perfect :-) thats awesome. I also read the reddit thing. Will follow this repo.
It's nice to have a vm in ~20lines of code
👍
from compiler-util.
Great (:
I am glad you like it. Thx for the comments.
from compiler-util.
Related Issues (12)
- Failure to build project dependant on compiler-util HOT 3
- Vulnerability HOT 14
- Threading
- Sandbox escape possibility (`this`) HOT 1
- Library doesn't work with ESBuild -> Uncaught Error: Dynamic require of "@nx-js/compiler-util" is not supported HOT 1
- So called "secure" sandbox isn't secure at all HOT 25
- Security issues are ignored HOT 5
- Bypass nx-compile 2.0 with hoisting HOT 6
- Roadmap
- Security issues
- Some usability questions regarding the API
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from compiler-util.