1

how to restrict global variables and functions in node js?

like: require method

i want to limit use of require method. i don't want any node app to access "fs" in my node framework which i build on top of express, they can only require modules which i want them to. and also i want to restrict access to process, global scope .

suppose when i load any js library for any app

like:

var x=require('app1.js');

in my framework

then i want to make sure this app1.js cannot access filesystem using require("fs")

app1.js 

var x=require("fs");
exports.hello=function(){
   console.log(typeof x.readSync);
}

i want this console to print undefined;

and in this sample

var x=require("helper.js");
exports.hello=function(){
   console.log(typeof x.hello);
}

i want this console to print function;

thanks in advance

Pradeep
  • 117
  • 5
  • Sandboxing 3rd party code is well described in this answer: http://stackoverflow.com/a/11796148/1762886 – m6k Jan 14 '13 at 17:19
  • can vm return object after executing code in different context ? and can i pass arguments to vm which will be available inside? – Pradeep Jan 16 '13 at 18:48

3 Answers3

1

I'd create a new function that will act like require.

requireSafe = function(param){
    if(!isAllowedLogic(param)) return null;
    else return require(param);
}

And when someone submits code, you append var require; at the top to prevent them to use the regular require. Or you search in their submission and only approve it if it doesn't contain require nor eval.

RainingChain
  • 7,397
  • 10
  • 36
  • 68
0

Why would you want to do that?

It is not possible to change the way require works, as it is a build-in node.js function.

  • i made a simple framework to host users server code, and i don't want them to access filesytem and similar api. that's why i want to restrict or abstract require method. – Pradeep Jan 14 '13 at 12:50
  • then you should do this using UNIX chroot and building a secure sandbox. node, however, is not the correct place to do that. http://de.wikipedia.org/wiki/Chroot –  Jan 14 '13 at 13:10
  • i expected to find some work around in javascript instead of low level coding. i have got way to restrict user using eval but i have doubt whether its secure or not. – Pradeep Jan 14 '13 at 18:27
  • using a chroot is not "low level coding". its simple unix setup and the only thing that will help you with your problem. using eval as a security mechanism is the worst thing you can do, really - you'll end up writing your own javascript interpreter - just spend a few hours and learn about chroots - for real –  Jan 14 '13 at 21:28
0

Try this library, for a bit of detail of how its security works, from the README :

A Node.js subprocess is created by the Jailed library;

the subprocess (down)loads the file containing an untrusted code as a string (or, in case of DynamicPlugin, simply uses the provided string with code)

then "use strict"; is appended to the head of that code (in order to prevent breaking the sandbox using arguments.callee.caller);

finally the code is executed using vm.runInNewContext() method, where the provided sandbox only exposes some basic methods like setTimeout(), and the application object for messaging with the application site.

Joel Hernandez
  • 1,817
  • 4
  • 18
  • 27