I use nodejs 0.11.14 and have found an issue during test code snippet calling:

object Object:22
if (ut.isNull(value)) {
^
TypeError: Object object Object has no method 'isNull'
at [object Object]:22:16
at [object Object]:222:17
at Context. (object Object:390:9)

I didn't find isNull() method in util module API.

First off, thanks so much for all your work on vm2. Huge fan! Quick question:

My use case for executing these scripts requires that they are, as securely as possible, sandboxed. I know there are always edge cases and potential vulnerabilities, but one of the major ones we have right now when using vm2 is that it doesn't spawn a sub process to execute in. This makes it pretty easy to right a script that just uses a ton of memory and causes our node process to die. As I have looked at some of the other libraries out there (sandcastle, sandbox, jailed, etc.) they seem to spawn child process to protect against something like this. I was just curious if you had attempted this at all with vm2? I'm more than willing to fork the repository and implement myself, but before doing so, I was just curious if you had any insight.

Thanks again!

Is it safe to:

• pass a promise to an exported script method ?
• receive a promise from a call to an exported script method ?

And more generally : is it safe to pass/receive a callback to/from an exported script method (not through the sandbox, that is) ?

Hi, just heard of some v8 developer talked about API changes in the coming node 8.0. Do you know about the details? Will vm2 be affected?

When I try to load a certain native module twice I get a strange exception.

VMError: Failed to load '<...>/deasync.node': [Module did not self-register.]

Here's a minimal example, which shows the problem. (Requires the npm module 'deasync' to run).

//Look up module path for this platform:
var path = require('path');
var fs = require('fs');

var nodeV = 'node-' + /[0-9]+\.[0-9]+/.exec(process.versions.node)[0];
var nodeVM = 'node-' + /[0-9]+/.exec(process.versions.node)[0];
var modPath = path.join(__dirname,'node_modules','deasync', 'bin', process.platform + '-' + process.arch + '-' + nodeV, 'deasync');

try{
    fs.statSync(modPath + '.node');
}
catch(ex){
    modPath = path.join(__dirname, 'node_modules','deasync','bin', process.platform + '-' + process.arch + '-' + nodeVM, 'deasync');
    fs.statSync(modPath + '.node');
}

//Beginning of the actual problem:

require(modPath); //Require native module for the first time

const NodeVM = require('vm2').NodeVM;
const vm = new NodeVM({
    require: true,
    requireExternal: true
});

vm.run("module.exports = require("+JSON.stringify(modPath)+")"); //Require module for the 2nd time, now inside vm.

//Exception occurs: VMError: Failed to load '<...>/deasync.node': [Module did not self-register.]
//Exception occurs as well if we require the same native module in two separate instances of NodeVm.

No matter what options I set, console is undefined all the time.

ReferenceError: console is not defined

Trying with following Options: inherit, redirect

When I run any code, timeout doesn't seemt to work. This just keeps running:

const VM = require('vm2').VM
const vm = new VM({
  timeout: 1000,
  sandbox: {
    mineflayer: require('mineflayer')
  }
})

vm.run(`
var bot = mineflayer.createBot({
    host: "localhost",
    port: "25565",
    username: "Bot",
    password: null
})

bot.on('login', function() {
    bot.chat('hi everyone!')
})
`)

I run a NodeVM
var result = vm.run('1+1') (just an example)
but result becomes just an empty object.
how can I get the returned value, like I would from doing var result = eval('1+1')?

Is there any way to handle error in async callback?

const {NodeVM} = require('vm2');

const vm = new NodeVM({
    timeout: 10000,
    sandbox: {}
});

try {
  vm.run(`
    setInterval(() => {
      console.log("haha")
      process.exit()              // <--- can't find a way to intercept this!
    }, 1000);

    process.exit()
  `, 'code.js');
} catch(e) {
  console.log(e.message);
}


setInterval(() => {
  console.log("haha 2")
},1000);

I'm seeking for a way to prevent whole script crashing.

is there a way to kill a vm, once it's started?

Thanks for this module. I apologize that this is more of a general question; if you know of a good community to ask this in, please let me know. I'm pretty sure this is too specific for Stack Overflow.

I was attempting to use vm2 in AWS Lambda; unfortunately Lambda is locked to Node.js v4.3.x at the time of this writing. I'm aware vm2@2.x supports this version, but see nodejs/node#3113. I don't believe I can leverage vm2 to do what I'm describing below?

To work around the very real and expensive leaks--since contextified sandboxes don't seem to get garbage collected--I've had to create a singleton sandbox. The sandbox must allow users to access a few select 3p libraries, and must allow asynchronous behavior.

Roughly, the strategy is:

1. Create an object via Object.create(null); contextify it w/ vm.createContext()
2. Create a child object (call it child) via Object.create(null); put it in the contextified sandbox & re-create for each Lambda call. This is the only property of the contextified sandbox (as far as I'm aware!)
3. Place a callback function (e.g. "done(err)") in child, which will be called when the possibly async untrusted code is done executing. Bind it to null; re-create it for each Lambda call
4. Place a reference to a require() in child; re-create for each Lambda call
5. Use JSON.stringify() to put other information into child; this information contains a list of 3p modules to require, among other things. The idea here is to avoid exposing objects created by the the script calling vm.runInContext()--as has been shown to be accessible thru trickery in #32. Re-create for each call
6. Note that everything above originates in the calling Lambda function. Wrap the untrusted code with a script which synchronously:
   1. Calls require() to include necessary 3p modules; exposes these vetted modules to untrusted script
   2. Saves reference to callback function within a closure (this reference is the only vestige of the calling script's context still present upon untrusted script execution that I'm aware of)
   3. Parses any other JSON data
   4. Creates a wrapper for the callback which sanitizes any errors supplied by user. The user cannot "return" data otherwise from the untrusted script
   5. Nullifies and deletes the entire contents of child to be defensive
7. Further wrap untrusted script in a closure, passing the callback wrapper function as done, null as parameter child (which should overwrite the only available property of the sandbox), and other data & modules as parameters; these become what the user perceives to be "globals". Prepend 'use strict'
8. Execute the untrusted code (vm.runInContext()) and end function after it calls done() (it must call done())

Given the Broadway production I had to put on to avoid crippling memory leaks, does this sound reasonably sane? Any obvious holes? I've learned from #32 that putting objects willy-nilly in the sandbox is exposing too much surface, so I've attempted to completely avoid it. And yes, it's very ugly, if you're curious.

(FWIW, I haven't found any concurrency-related issues with data bleeding into other functions while testing; not sure what kind of performance penalties this will end up incurring, but I'll take that over the memory leaks. An alternative is to run the untrusted scripts in worker processes, which sounds even slower)

Hi.
If unsafe code contain setInterval then timeout for VM is not work.

Example:

const {VM} = require('vm2');

const vm = new VM({
timeout: 1000,
sandbox: {
setInterval: setInterval
}
});

try {
vm.run("setInterval(function(){},100)")
} catch (e) {
console.log(e);
}

based on issues like the ones mentioned in

#32

I would like to know if I can actually call a host function safely from the sandbox? an example:

const {VM} = require('vm2');
function hostFunction() {
    //for example, allow HTTP get from a single url, without giving full access to HTTP package
    console.log('host function called from inside sandbox');
}
let sandbox = {
    hostFunction: hostFunction
}
let vm = new VM({ sandbox });
vm.run(`hostFunction();`)

@patriksimek thanks for working on a safe sandbox.

I'm looking for some docs on how to return sandbox results asynchronously

Do you have any advice or examples?

I have the following suggestion below. However I see that the callback environment will be different than the sandbox env. This should normally be ok. Is there a way around this?

const {NodeVM} = require('vm2');
const request = require('request');

const vm = new NodeVM({
    sandbox:{
      request: request,
    }
});

let functionInSandbox = vm.run(`module.exports =  function(callback) {
  console.log('sandbox process env', process.env) ;

  request('http://google.com', function (error, response, body) {

        if (!error ) {
            callback( response.statusCode )
        }
    })
}`);

callbackFunc = function( result ){
  console.log('result after async', result);
  console.log('callback process env', process.env) ;
}

functionInSandbox( callbackFunc )

Consider following code as example to reproduce bug:

var VM = require('vm2').VM,

// Case 1:
var vm1 = new VM({
    timeout: 5000
});

// Works correct, throws exception
vm1.run('while(1);')

// Case 2:
var vm2 = new VM({
    timeout: 5000,
    sandbox: {
        a: {
            get b () {
                while(1);
                return 1;
            }
        }
    }
});

// Not stopping from looping, too bad!
vm2.run('a.b')

Actualy, that will happen, when exectuing any code inside run(), having that getter inside sandbox because of main.js:79.

Of course, i can find a workaround here, but i suppose, that sandbox can contain something untrusted either.

when trying to call "vm.run" again the code does not start - Is this a known issue or configuration?

Tried using this in an AWS lambda and got a warning about requiring node 6. Thinking that should be made explicit in the README.

It would be very useful to insert a memory limit into vm2 options, so that process gets killed if limit is passed.

Got excited looking at the ability to have control on limiting a user script from accessing built-in modules.

The access denial works for only one level, if an user script loads an other module which indeed access built-in module then no checks are done.

Here is a simple example for the scenario that I am talking about:

STEP 1 :: Create a main.js file which executes sampleOne.js in a sandbox.

var fs = require('fs')
const {NodeVM} = require('vm2');
const vm = new NodeVM({
    console: 'inherit',
    sandbox: {},
    require: {
        external: true,
        builtin: ['path'],
        root: "./",
        mock: {
        }
    }
});
var scriptContent = fs.readFileSync('./sampleOne.js');
vm.run(scriptContent, 'sampleOne.js');

STEP 2 :: Create sampleOne.js file with following content which invokes an other module.

var sampleTwo = require('./sampleTwo.js');
var fileName = 'sampleTwo.js';
console.log('SampleOne:: Invoke sampleTwo printFileContent:' + fileName);
sampleTwo.printFileContent(fileName); 

STEP 3:: Create sampleTwo.js which will access built-in "fs" module to read a file content.

var fs = require('fs');
exports.printFileContent = function(fileName) {
    console.log('SampleTwo:: print content of file: ' + fileName);
    var fileContent = fs.readFileSync(fileName)
    console.log('\n\nfs module is accessible.\n');
}

STEP 4:: Execute main.js and in the output we can see that sampleTwo.js file can read its own file content using fs module.

ksingh-mac:test ksingh$ node main.js 
SampleOne:: Invoke sampleTwo printFileContent:sampleTwo.js
SampleTwo:: print content of file: sampleTwo.js
fs module is accessible.

When I try to access fs module in sampleOne.js, there is a proper error message saying:

VMError: Access denied to require 'fs'
    at _require (/Users/ksingh/projects/tekton/nodejs/node_modules/vm2/lib/sandbox.js:178:13)
    at Object.<anonymous> (/Users/ksingh/projects/tekton/nodejs/test/sampleOne.js:1:72)
    at NodeVM.run (/Users/ksingh/projects/tekton/nodejs/node_modules/vm2/lib/main.js:301:27)
    at Object.<anonymous> (/Users/ksingh/projects/tekton/nodejs/test/main.js:17:4)
    at Module._compile (module.js:541:32)
    at Object.Module._extensions..js (module.js:550:10)
    at Module.load (module.js:458:32)
    at tryModuleLoad (module.js:417:12)
    at Function.Module._load (module.js:409:3)
    at Function.Module.runMain (module.js:575:10)

Is there any other setting that needs to be done on NodeVM to deny access for built-in modules for nested files.

Note: I am using node v6.2.0.

Guys, lib doesn't work with node >= 4.0

> nvm use 4.0
> npm test
> /Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/mocha/lib/reporters/base.js:168
      , stack = err.stack || message
                   ^

Error: Unknown encoding: 5406
  at assertEncoding (fs.js:88:11)
  at Object.fs.readSync (fs.js:594:5)
  at Object.fs.readSync (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/mocha/node_modules/glob/node_modules/graceful-fs/polyfills.js:218:23)
  at Object.fs.readFileSync (fs.js:433:24)
  at Object.exports._compileFile (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/coffee-script/lib/coffee-script/coffee-script.js:224:14)
  at getSourceMap (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/coffee-script/lib/coffee-script/coffee-script.js:343:22)
  at getSourceMapping (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/coffee-script/lib/coffee-script/coffee-script.js:351:19)
  at formatSourcePosition (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/coffee-script/lib/coffee-script/coffee-script.js:303:16)
  at /Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/coffee-script/lib/coffee-script/coffee-script.js:369:33
  at Function.Error.prepareStackTrace (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/coffee-script/lib/coffee-script/coffee-script.js:372:7)
  at /Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/mocha/lib/reporters/base.js:168:20
  at Array.forEach (native)
  at Function.exports.list (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/mocha/lib/reporters/base.js:159:12)
  at Spec.Base.epilogue (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/mocha/lib/reporters/base.js:312:10)
  at emitNone (events.js:72:20)
  at Runner.emit (events.js:166:7)
  at Runner.uncaught (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/mocha/lib/runner.js:563:8)
  at process.uncaught (/Users/Shopgate/shopgate/fcs-worker/node_modules/vm2/node_modules/mocha/lib/runner.js:580:10)
  at emitOne (events.js:77:13)
  at process.emit (events.js:169:7)
  at process._fatalException (node.js:211:26)

npm ERR! Test failed.  See above for more details.

Switching to 0.12 makes everything ok

Noticed this while trying to require a dependency in a vm. Some code to reproduce:

const { NodeVM } = require("vm2");

const vm = new NodeVM({
  console: "redirect",
  sandbox: {},
  require: {
    builtin: ["fs"]
  },
  wrapper: "none"
});

vm.run("const fs = require('fs'); fs.constants");

Full stack trace:

node_modules/vm2/lib/main.js:327
			throw this._internal.Decontextify.value(e);
			^
TypeError: 'get' on proxy: property 'constants' is a read-only and non-configurable data property on the proxy target but the proxy did not return its actual value (expected '[object Object]' but got '[object Object]')
    at Object.<anonymous> (vm.js:1:91)
    at NodeVM.run (node_modules/vm2/lib/main.js:325:27)
    at Object.<anonymous> (script.js:12:4)
    at Module._compile (module.js:556:32)
    at Object.Module._extensions..js (module.js:565:10)
    at Module.load (module.js:473:32)
    at tryModuleLoad (module.js:432:12)
    at Function.Module._load (module.js:424:3)
    at Module.runMain (module.js:590:10)
    at run (bootstrap_node.js:394:7)

Let me know if there's any other information I can give you to be helpful!

If you run "new Uint8Array(1e+100)" or with another large number, the sandbox hangs. The event loop is blocked, and the whole process freezes.

I just saw that setTimeout and setInterval are not working inside the VM. I am using version 3.0.0.

Example 1:

const {NodeVM} = require('vm2');
let vm = new NodeVM();
vm.run('setTimeout(function(){console.log(12345)}, 10000);');

Instead of printing 12345 after 10s this prints it immediately.

Example 2:

const {NodeVM} = require('vm2');
let vm = new NodeVM();
vm.run('let counter = 0; function foo(){console.log(counter++);} setInterval(foo, 5000);');

Instead of increasing and printing the counter every 5s it does it what seems like every millisecond.

I didn't see any comment in the documentation that those functions do not work. Is this a bug or did I overlook something?

Hello there :)

Just wanted to know if there are clear advantages using vm2 over node's native VM module -- tried to look for it in the readme but couldnt find anything. I'm using vm on node 7 and was wondering if I should potentially look at vm2 if it fixes / handles specific use-cases.

Cheers!

Hi

I'm trying to use vm2 in order to allow user written scripts which run in vm2 to use 'require'. I added

var request = require('request')

to the top of my 'userScript' and then added the userScript to vm2's sandbox. When I try and run the vm by doing ...

var result = vm2.run(helper)

my node process crashes with a 'require is not defined' error.

How do I call 'require' statements in user scripts ?

More details on this question can be found in another question (#20)

Thanks
Dave

I will use your VM module to make my code more modular.

When i youse mongoose inside the VM i got a "Access Denied" error:
VMError: Access denied to require 'module'

    // read source from module
    var module = that.modules[key];
    var source = fs.readFileSync(module.path, "utf8");

    // vm options
    var options = {
      console: 'inherit',
      sandbox: {
        log: module.log
      },
      require: true,
      requireExternal: true,
      //requireNative: "",
      requireRoot: "./",
      useStrict: false

    };

    // create vm & run
    var vm = new NodeVM(options);
    var moduleEntry = vm.run(source, module.path);

    moduleEntry(that.injector);

  });

I wanted to know what you mean by "redirect to events" when using the redirect option for console in NodeVM. I have always used the sandbox method, of just attaching a console object with its own methods, however I wanted to know if there was an alternative cleaner solution

Hi,

first of all. Thank you for v3! Its really really amazing.

Unfortunately I found another bug.
It is possible to require restricted native modules in required modules.

For example:
Lets say the code in the vm want to get a file from the filesystem.

The way via fs works fine:

var NodeVM = require('vm2').NodeVM;

var options = {
    console: 'inherit',
    require: {
        external: true,
        builtin: [],
        root: "./"
    },
    nesting: true

};

var vm = new NodeVM(options);
var functionInSandbox = vm.run("module.exports = function(){  var fs = require('fs');  fs.readFile('./node_modules/vm2/index.js', function (err, data) { console.log(err, ''); }); }", __filename);
vm.call(functionInSandbox);

It throws me an error which is correct.

But lets use one random fs module from npmjs:

var NodeVM = require('vm2').NodeVM;

var options = {
    console: 'inherit',
    require: {
        external: true,
        builtin: [],
        root: "./"
    },
    nesting: true

};

var vm = new NodeVM(options);
var functionInSandbox = vm.run("module.exports = function(){  var read = require('read-file');  read('./node_modules/vm2/index.js', function (err, data) { console.log(err, data.toString('utf-8')); }); }", __filename);
vm.call(functionInSandbox);

This time I can read the complete file.

It looks like that the require method in the modules are not restricted.

Node's VM module allows to compile a script with vm.Script() and at a later point contextify it with a number of different functions (e.g. script.runInNewContext). This is handy when one need to run the same exact code in multiple contexes. I presume that VM2 compiles the string-code every time vm.run() is called. I expect that this would result in performance degradation.

Would it be a good idea for VM2's API to support some soft of way to reused a compiled piece of code multiple times across contexes? Is there a work-around to do this today?

It's possible to escape the VM and perform very undesirable actions.

Found via the following gist in relation to node's native VM: https://gist.github.com/domenic/d15dfd8f06ae5d1109b0

Take the following 2 code examples:

const VM = require('vm2').VM;

const options = {
    sandbox: {}
};

const vm = new VM(options);

vm.run(`
    const ForeignFunction = global.constructor.constructor;
    const process1 = ForeignFunction("return process")();
    const require1 = process1.mainModule.require;
    const console1 = require1("console");
    const fs1 = require1("fs");
    console1.log(fs1.statSync('.'));
`);

and :

const NodeVM = require('vm2').NodeVM;

const options = {
    console: 'off',
    sandbox: {},
    require: false,
    requireExternal: false,
    requireNative: [],
    requireRoot : "./"
};

const vm = new NodeVM(options);
vm.run(`
    const ForeignFunction = global.constructor.constructor;
    const process1 = ForeignFunction("return process")();
    const require1 = process1.mainModule.require;
    const console1 = require1("console");
    const fs1 = require1("fs");
    console1.log(fs1.statSync('.'));
`);

Running either of these outputs the following:

{ dev: 16777220,
  mode: 16877,
  nlink: 14,
  uid: 502,
  gid: 20,
  rdev: 0,
  blksize: 4096,
  ino: 14441430,
  size: 476,
  blocks: 0,
  atime: 2016-06-15T22:20:05.000Z,
  mtime: 2016-06-15T22:19:59.000Z,
  ctime: 2016-06-15T22:19:59.000Z,
  birthtime: 2016-06-09T01:02:12.000Z }

I've validated this behavior on both v4.4.5 and v6.2.1

With babel-register module

    var renderVM = new NodeVM({
        console:         'inherit',
        require:         true,
        requireExternal: true,
        requireNative:   [ 'path', 'fs', 'util', 'tty', 'module' ],
        sandbox: {
            process: { argv: [], env: {} },
            __babel: sails.config.babel
        }
    });

    console.log(renderVM.run(`
        require("babel-register")(__babel);
        module.exports = require("../../../editor/app/render/render").default;
    `, __filename));

I'm creating multiple VM's in my script and I want to close/kill them and free up their resources as soon as their work is done.

I checked the tests and the script in there is just setting the vm variable to null, allowing the vm object to be garbage collected by js.

Is this is the appropriate way of exiting a VM? And does it free up the resources allocated to the VM?

If you set the compiler option to be coffee script or a custom function it will only be used to transform the main file you're running. If the main file includes other scripts, they won't be transformed.

As you can see in sandbox.js, line 50 the required file is not passed through _compileToJS() before being executed.

const VM = require('vm2').VM
const sandbox = { foo: function() { } }
sandbox.foo.bar = 1
const vm = new VM({ sandbox })
vm.run('foo.bar') // undefined

I think this should work.

Is there a way to set up the sand box such that the parent script launching the child script can pass objects by reference to the child script so that it can call into the objects/methods? There is very thin documentation on sandbox for vm2 hence the question. I tried something like

var VM = require('vm2').VM;
var localvar = 'foo';
var localvar2 = 'bar';
function myobj(input)
{
this.localvar= = input;
}

var options = {
timeout : 1000,
sandbox: {myobj, localvar2}
};

var vm = new VM(options);
vm.run('myobj(localvar2);');

This does not give me the desired result. Any pointers would be very much appreciated.

Also would be good to know why the sanbox offered by vm2 is better than the sandbox from node.js

Hi,

when I do a HTTP Request after a run of the NodeVM the following Error appears.

TypeError: Invalid non-string/buffer chunk
    at chunkInvalid (_stream_readable.js:372:10)
    at readableAddChunk (_stream_readable.js:124:12)
    at Socket.Readable.push (_stream_readable.js:110:10)
    at TCP.onread (net.js:523:20)

Here is my code:

var NodeVM = require('vm2').NodeVM;
var request = require('request');

var options = {
    console: 'inherit',
    require: true,
    requireExternal: true,
    requireNative: [],
    requireRoot : "./"
};

var vm = new NodeVM(options);
var functionInSandbox = vm.run("module.exports = function(){  console.log('Output from function in sandbox'); }", __filename);
vm.call(functionInSandbox);


request('http://google.com', function (err, response, body) {
    if (err) {
        console.error(err.stack);
        return;
    }
    console.log(body);
});

My node version is 4.3.0

When I remove the 'vm.run' and the 'vm.call' the request works.
I already look into the code but i cant find the reason why this happens but i cant find any reason why :(

Using promises (or similar async callbacks), one can circumvent the timeouts:

var vm = new vm2({
    timeout: 10,
    sandbox: {}
});
vm.run("new Promise((r,j)=>r()).then((v)=>{while(true);})")

The while(true) code is not time limited at all and will lock up the entire node.js process.
For simplicity, a non-shortened version of the code in the string:

new Promise( (resolve, reject) => resolve() )
.then( function(value) {
    while(true);
}

Is there some fail safe way to fix/prevent this? Or is this an intrinsic problem of how node.js vm works? Obviously, doing

sandbox: { Promise: null }

prevents the user from creating promises, but as long as the user has access to any kind of async code, he can crash the VM.

I want to allow requiring of all modules/files except specific files in an array. I am trying to block access to APIs in a secure system.

Also, does this block requires of requires (i.e. the module originally required requires a file that requires restricted module).

Lastly, can someone run a child process that runs the CLI version of my app? I want to allow access to CLI programs (child processes) except for mine.

This is not an issue with vm2 itself, but a question about functionality (and perhaps to extend the docs with examples):

I have a scenario where I want to use a sandbox/jail to run long-lived untrusted code (similar to a Web Worker). The code should use an API to both listen to events from an outside system and respond by performing simple actions restricted by the API (aka Macros). Optimally, these snippets of code supplied by system administrators should only have access to this API and not much else. I don't mind the untrusted code hogging the event loop (e.g. while (true) {}) for the time being.

What are the options for having event-driven input and output between the sandbox context and the outside world? The API in question uses an underlaying Duplex stream of JSON data, which would be nice to proxy/relay into the sandbox. E.g. connecting (via methods/callbacks if necessary) a global and a contextified stream would most likely be sufficient. Would vm2 be able to support this in a way? Could you provide any thoughts/input on a minimal viable example for this?

const vm = new NodeVM({                   
  require: true,                          
  requireExternal: true                   
});                                       

vm.run('console.log(require("foobar"));');

fails with:

sandbox.js:121                                  
          paths = current_dirname.split(pa.sep);

TypeError: Cannot read property 'split' of null

Meanwhile, passing a second parameter to vm.run(..., filename) works. Reading the code indicates that filename should be rather optional.

Is there a reason why the "timeout" option is not implemented for the NodeVM case (since it is available for regular VM)?
I think it would be a nice improvement to the possibilities.

Is this something that is going to be added in the future?

Hi

Using Node's built-in vm - I can do the following ...

var userScript = 'var dummy = 0;' ; // note userScript contains javascript code 
var helper = 'if (dummy > 10) { console.log("time to stop"); } else { console.log("keep going"); }" ;

var sandbox = {
  userScript: userScript
};
var context = vm.createContext(sandbox);
var script = new vm.Script(helper);

script.runInContext(context);

Essentially - I have a user supplied javascript script along with a 'helper' script that also contains javascript. I 'combine' these two scripts when I say "script.runInContext(context)".

Can I do the same thing using vm2 and if so - how ?

Thanks
Dave

When using NodeVM in combination with vm.call(methodname, params), a "while(true)" statement still blocks execution. Am i doing something wrong or is this a bug?

My code:

    // sandbox properties
    var options = {
      console: 'inherit',
      sandbox: {
        "var1": var1,
        "var2": var2
      },
      require: true,
      requireExternal: false,
      requireNative: [],
      timeout: 100 // see my other issue, since this is not working
    };
    var vm = new NodeVM(options);
    var script= vm.run("module.exports = { onLoad: function(){ while(true);}}");

    vm.call(script.onLoad); // this blocks execution

How do I use this module to execute untrusted code securely and wait for a return data? The return data can be a JSON Document.

Would you be able to provide a sample gist for the use case above? Thanks!

Hi,

It is just a question, but, in order to keep the hand on the master process and avoid while(true){}, why no use a child process?

I'm kind of new with the sandbox and vm systems.

Here is my code:

//index.js
'use strict';

let child_process = require('child_process');

setInterval(function(){
    console.log('alpha');
}, 1000);

var child = child_process.fork('startCode.js');

setTimeout(function(){
    child.kill();
}, 10000);

//startCode.js
'use strict';

const NodeVM = require('vm2').NodeVM;

const vm = new NodeVM({
    console: 'inherit',
    sandbox: {},
    require: {
        external: true,
    }
});

setInterval(function(){
    console.log('alpha2'); 
}, 1000); //never shown do to infinite loop

let functionInSandbox = vm.run("while(true){}");

What do you think about it?

I try to execute input from the commandline in a sandbox with vm2.
Unfortunately, after executing one command, I always get an error as soon as I press another key.

L:\tmp>node test.js
> console.log('Hellow World!');
Hellow World!
{}
> events.js:85
throw er; // Unhandled 'error' event
^
TypeError: Invalid non-string/buffer chunk
at chunkInvalid (_stream_readable.js:384:10)
at readableAddChunk (_stream_readable.js:140:12)
at ReadStream.Readable.push (_stream_readable.js:126:10)
at TTY.onread (net.js:538:20)

L:\tmp>

Test script:

'use strict';

var vm = require('vm2');
var readline = require('readline');

var rl = readline.createInterface({

    input: process.stdin,
    output: process.stdout
});

rl.setPrompt('> ');
rl.prompt();

rl.on('line', function ($line) {

    var options = {

        sandbox: {},
        console: 'inherit',
        language: 'javascript',
        require: true,
        requireNative: true,
        requireExternal: true,
    };

    var sb = new vm.NodeVM(options);


    console.log(sb.run($line));
    rl.prompt();
});

Versions:
vm2 - 0.2.2

http_parser - 2.3
node - 0.12.2
v8 - 3.28.73
uv - 1.4.2-node1
zlib - 1.2.8
modules - 14
openssl - 1.0.1m

Heads up - testing vm2 with the latest iojs has flagged an odd issue with Buffer, probably due to the various V8 changes related to Buffer.

var VM = require('vm2').NodeVM;

var buf1 = new Buffer(1);
console.log('check before VM:', (buf1 instanceof Buffer));

var vm = new VM();
vm.run("console.log('ran VM')");

var buf2 = new Buffer(1);
console.log('check after VM:', (buf2 instanceof Buffer), (buf1 instanceof Buffer));

The output of this is...

Node 0.12.7

check before VM: true
ran VM
check after VM: true true

iojs 3.3.0

check before VM: true
ran VM
check after VM: false true

Buffer is no longer instanceof-able and plays havoc with future API calls e.g. fs.readSync due to this check https://github.com/nodejs/node/blob/8f58fb92fff904a6ca58fd0df9ee5a1816e5b84e/lib/fs.js#L589

With Node4 moving forward from an iojs base, this is probably worth looking at.

I would like an option which is a function that takes vm2's require as an argument and returns a new function that should be used instead of vm2's require.

Hey there,

i had instantiate the running script over VM. Here is an example:

Executed Script

var Server = function Server() {
    this.test = function test() { console.log("HI"); };
};

Instantiate

_vm = new VM({/* ... *});
vm.run(script, _path + '/main.js');
// Instantiate the Class
var Server = new _vm._context.Server();
// Call the method
Sevrer.test();

It's working fine on VM. But i had updated to NodeVM to use require, setTimeout and other,..
But how i can instantiate the Server "class" under NodeVM?

Under _vm._context the Server is not available. I had try to use module.exports, but here, i can't instantiate it. Not over the context and not over the returned value from _vm.run().

The Result is:

TypeError: Server is not a constructor

Can anyone help me?

var vm = require('vm2').NodeVM;

function Data() {
    this.key1 = 'value1';
};

Data.prototype.set = function (field, value) {
    this[field] = value;
};

Data.prototype.get = function (field) {
    return this[field];
};

var sandbox = new vm();

var code = 'module.exports = function (Data) {' +
   'try {' +
      'var data = new Data();' +
      'data.set("key2", "value2");' +
      'return data;' +
   '}' +
   'catch(error) {' +
      'return error;' +
   '}' +
'};'

var fn = sandbox.run(code);
var result = sandbox.call(fn, Data);

console.log(result);

The above code returns an error [TypeError: undefined is not a function]