1

I'm designing a game and have a somewhat unique problem.

To play the game, players each write a simple javascript program that continually makes a request of my backend for the game state and then decides what to do and posts their move (also to my backend).

I want to store the user scripts on my end though, so I've given them the option to upload their scripts with the standard HTML5 input type="file". Then I use FileReader to read in the raw binary, and associate that binary input as a "bot" for the user in Mongo. (My backend is written in Go)

Docs for FileReader:
https://developer.mozilla.org/en-US/docs/Web/API/FileReader

So far, I've found a resource for converting the binary back to ascii:
Converting Binary to text using javascript

I found a javascript interpreter that I can allegedly execute javascript from: https://github.com/jterrace/js.js

In this situation, is there a better way to run the uploaded code, perhaps as an executable? Is a javascript sandbox solution like JSJS overkill?

Community
  • 1
  • 1
shane
  • 246
  • 2
  • 17
  • Where should the script get executed ? On the client (the player's browser/machine) or on the server ? – Elwinar May 03 '16 at 08:09
  • 1
    If the uploaded code is javascript then it's not binary. Just execute it. – slebetman May 03 '16 at 08:11
  • @slebetman they give me a file, and I store it for later – shane May 03 '16 at 08:35
  • @Elwinar I'm honestly unsure where execution should happen. I'm trying to mimic two independent clients asking from clientside, so I'm inclined to think the code should run client-side – shane May 03 '16 at 08:35
  • Both approach would be valid, each with its own up and downsides. Running server-side would be more "fair" so the local connection of a player doesn't affect the performance of its bot. On the other hand, you risk overloading your server, and put yourself at risk by executing arbitrary code of unknown source on your server (sandboxing helps, but there is always a risk). – Elwinar May 03 '16 at 09:14
  • I would advise running client-side. In which case, you can just have the bot be a Javascript object and run its `main` method. – Elwinar May 03 '16 at 09:15

1 Answers1

-1

It should always be a good idea to sandbox any user submitted code, regardless if it's executed on the client or server.

overburn
  • 1,194
  • 9
  • 27