Pure Javascript Sandbox

Question

Is this a possible solution for a pure javascript sandbox ? My willing is to execute an untrusted string of code without giving access to DOM, window, this, and so on but allowing the user to acces Math, JSON and other functionalities. I've tested it on Chrome.

UPDATE: I want to give the possibility to save on server user-defined code and make it available to other users. I'm looking for a way to deny access to the document ni order to make it safe.

function safe(code,args)
{
    if (!args)
        args=[];
    return (function(){
      for (i in window) 
        eval("var "+i+";");
      return function(){return eval(code);}.apply(0,args);
    })();
}



ff=function()
{
    return 3.14;
}

console.log(safe("this;"));//Number
console.log(safe("window;"));//undefined
console.log(safe("console;"));//undefined
console.log(safe("Math;"));//MathConstructor
console.log(safe("JSON;"));//JSON
console.log(safe("Element;"));//undefined
console.log(safe("document;"));//undefined
console.log(safe("Math.cos(arguments[0]);",[3.14]));//-0.9999987317275395
console.log(safe("arguments[0]();",[ff]));//3.14

I've proposed it on an old post : https://stackoverflow.com/a/11513690/76081

Thanks!

I think you'd be crazy to deploy anything like this if there's actual sensitive/valuable information at risk. — Pointy, Jul 16 '12 at 22:55
Can you elaborate a little more on why you would need this? I can open up the chrome console and redefine just about anything. I'm not sure how you would secure a client side javascript running in a browser without something like ActiveX, etc. — Perry Tew, Jul 16 '12 at 22:56
@Pointy: first, I asked it this should fit as solution. Please, can you be more constructive in your comment? — alexroat, Jul 16 '12 at 23:02
@Perry Tew: My willing is to load some user code from server and allow it to run in browser without giving access to DOM, window, this ... and so on. — alexroat, Jul 16 '12 at 23:06
I am trying to be constructive. The point is that any attempt to sandbox JavaScript, if it intends to protect anything that's actually valuable, is almost certainly doomed to failure. There are all sorts of ways to subvert a mechanism like that. Think about what somebody could do to your setup with a simple Greasemonkey script. — Pointy, Jul 16 '12 at 23:09
I agree with Pointy, and I don't think anyone in the comments is trying to be a jerk about things. But the terms 'safe' and 'trusted' just don't go with ad-hoc javascript. You might be trying to provide a convenience function for users, etc. There's value in that in certain scenarios. I just wanted to know a little more. — Perry Tew, Jul 16 '12 at 23:16
I know it is possible to modify the code in this way. That's not my willing. I simply want avoid that user A saves code that, for instance, change an Element in DOM while user B that run A's code got his page defaced (or worse)... — alexroat, Jul 16 '12 at 23:18
it's not possible to shield anyone from the rest of the DOM/JS env on the client. All they would have to do is `(function() { /* this inside here is the global window */ })();` — Matt Greer, Jul 16 '12 at 23:20
your best bet is to have everyone's code run inside an iframe. Even that's (very) exploitable. But at least as far as code bumping into each other, iframes isolate in that regard pretty well. — Matt Greer, Jul 16 '12 at 23:23

score 2 · Accepted Answer · edited May 23 '17 at 12:31

It's unsafe. The following construction will get the global window object from inside your sandbox:

(function(){return this;})()

At which point, you can extract anything you want from it, including goodies like document.

Hat tip to T.J. Crowder for his answer on https://stackoverflow.com/a/2673780/149341 in which he described this exploit.

Pure Javascript Sandbox

1 Answers1