5

I'd like to be able to safely execute third party javascript inside a Node app. The code they would provide must be entirely pure, which means I can happily isolate them from anything globally available.

They will need to call certain libraries but I can provide a form of the require function which is limited to providing only other pure functions. They won't need anything other than what I give them. They should be unable to use any tricks to access anything outside of the closure I wrap their function in.

Does anyone know if this is possible?

Dave Hunt
  • 157
  • 1
  • 8
  • You can use the eval function. Possibly a duplicate of this: https://stackoverflow.com/questions/939326/execute-javascript-code-stored-as-a-string – Mehdi Benmoha Mar 13 '18 at 13:55
  • 2
    eval is a box with no sand at all. – Alex K. Mar 13 '18 at 13:57
  • 2
    Would https://www.npmjs.com/package/safe-eval work for you? It's basically a context wrapped around eval to ensure it can't reach out of the box into the node internals, but you can specify certain functions/methods/internals to be exposed to your arbitrary script execution. – Yannick Meeus Mar 13 '18 at 14:02
  • Not sure how "pure" exactly the code will be, possibly you can parse it with Babel and validate what it is doing (whitelisting). If that's not an option, use the `vm` module. – Bergi Mar 13 '18 at 14:10
  • safe-eval looks promising. I hadn't seen that before. Thanks! – Dave Hunt Mar 15 '18 at 12:47

0 Answers0