How to run javascript code from string in safe way

Question

I found some answers, but very old one and I wondered how can it be done?

I've seen that eval() function isn't safe:

Alternate for eval() to execute auto-generated JS code from the server

So what are my options in order to run a javascript code in isolated secured way?

https://stackoverflow.com/questions/359788/how-to-execute-a-javascript-function-when-i-have-its-name-as-a-string look at here — Alp Eren Gül, May 30 '20 at 21:02
If it was totally isolated, you wouldn't need to run it. What is the problem you are trying to solve? — Bergi, May 30 '20 at 21:02
@Bergi I want to build an app that allow you to share code and execute it. — Dorki, May 30 '20 at 21:03
@Dorki Users running code that is shared by other users is inherently unsafe. Don't do that. If you take a look at how all the code sharing platforms work (including things like StackSnippets): they serve the code on a separate domain and sandbox it in an iframe protected by the SOP. — Bergi, May 30 '20 at 21:04
Why not load external JS files with xmlhttprequest? You should also have some sort of backend filter that makes sure no unsafe functions or libraries are used. — hewiefreeman, May 30 '20 at 21:04
@Bergi stackoverflow's website has the feature to execute javascript code, maybe something related to iframe or isolated environment? — Dorki, May 30 '20 at 21:05
@hewiefreeman Is there a well-known library that does that already? — Dorki, May 30 '20 at 21:06
@Dorki Ah, I was still editing my comment :-) Yes, they use iframes. They do not "run code from a string". — Bergi, May 30 '20 at 21:08
@Bergi ohhh, that's a bit cleared some fuzzy about how it works, so the question is whether using the same domain could also be secured? I mean, I could make my backend to send the string ( that should be convereted to code ) to an new url, but couldn't it be bypass or hacked with any js code? — Dorki, May 30 '20 at 21:12
See https://stackoverflow.com/q/10653809/1048572 https://stackoverflow.com/q/22506026/1048572 https://stackoverflow.com/q/195149/1048572 https://stackoverflow.com/q/2986908/1048572 https://stackoverflow.com/q/5044608/1048572 — Bergi, May 30 '20 at 21:15

Luca Fabbian · Answer 1 · 2020-05-30T21:36:48.937

-1

(as pointed out, this answer is outdated and the proposed solution could be easily broken).

Currently, draft for secure ecmascript has not been approved/implemented yet. One hack that has decent browser support (proxy is es6 feature) is using proxies and with to create a sandbox.

You just have to write a proxy which returns null for every requested key except for some safe functions. with would ask the proxy every time a var outside eval is required (for example, window) and so, provide null instead of the real var.

Check this website for a tutorial: code sandbox

edited May 30 '20 at 21:36

answered May 30 '20 at 21:03

Luca Fabbian

194
6

**No.** This doesn't provide real safety. – D. Pardal May 30 '20 at 21:15
why? I could not find an example that breaks it - moreover I've seen it used in a commercial solution by a big tech company. Of course, it's an hack - not a true solution (iframes are too). – Luca Fabbian May 30 '20 at 21:19
You can get access to the main window object with `this`. – D. Pardal May 30 '20 at 21:21
no, you can bind "this" to another var (JavaScript perfectly allows it). – Luca Fabbian May 30 '20 at 21:22
No, `this` is a reserved word. You can't name a variable after it. – D. Pardal May 30 '20 at 21:23
Try to "sandbox" this code with that technique and see what happens: `new (()=>{}).constructor("this.alert('oops')")()`. By the way, I feel bad for that "big tech company". – D. Pardal May 30 '20 at 21:24
wow, you're right. I've never thought about it. I'll edit the answer immediately. please add a comment to the tutorial too - I know it's widely used. – Luca Fabbian May 30 '20 at 21:28

How to run javascript code from string in safe way

1 Answers1