Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

added sandboxing for JSLint execution

This avoids (theoretical) security vulnerabilities by treating JSLint as
untrusted code, rendering potentially malicious injections impotent.

Since we're not treating JSLint as a CommonJS module here, there's no
need to modify fulljslint.js anymore.

as suggested by jkruse:
http://tech.groups.yahoo.com/group/jslint_com/message/1848
  • Loading branch information...
commit 9972fdcdeb402ec859345b7801ac08dd8dffd83f 1 parent 81c35b3
FND authored
Showing with 21 additions and 8 deletions.
  1. +1 −1  .gitignore
  2. +1 −0  README
  3. +19 −7 wrapper.js
View
2  .gitignore
@@ -1 +1 @@
-jslint.js
+fulljslint.js
View
1  README
@@ -3,6 +3,7 @@ Node.js wrapper for JSLint (http://jslint.com)
Usage:
+
$ node wrapper.js [options] <filepath>
(use `node wrapper.js --upgrade` to generate jslint.js alongside wrapper.js)
View
26 wrapper.js
@@ -1,7 +1,13 @@
var sys = require("sys"); // XXX: renamed in Node.js v0.3.0
var fs = require("fs");
+var vm;
+try {
+ vm = require("vm");
+} catch(exc) { // Node.js v0.2
+ vm = process.binding("evals").Script;
+}
-JSLINT_PATH = __dirname + "/jslint.js";
+JSLINT_PATH = __dirname + "/fulljslint.js";
var main = function(args) {
var valueOptions = ["indent", "maxerr", "maxlen"];
@@ -11,13 +17,10 @@ var main = function(args) {
if(opts.upgrade) {
getJSLint(function(contents) {
- contents += "\nmodule.exports.JSLINT = JSLINT;\n";
fs.writeFileSync(JSLINT_PATH, contents)
exit(true);
});
return;
- } else {
- var JSLINT = require(JSLINT_PATH).JSLINT;
}
// The Good Parts
@@ -37,11 +40,20 @@ var main = function(args) {
sys.debug("JSLint options: " + sys.inspect(opts)); // XXX: optional?
var filepath = args[0]; // TODO: support for multiple files
- var src = fs.readFileSync(filepath, "utf-8"); // XXX: UTF-8 always suitable?
+ var src = fs.readFileSync(filepath, "utf-8");
+ var jslint = fs.readFileSync(JSLINT_PATH, "utf-8");
+
+ var sandbox = {
+ SRC: src,
+ OPTS: opts
+ };
+ vm.runInNewContext(jslint + "\nJSLINT(SRC, OPTS);", sandbox);
+
+ var errors = sandbox.JSLINT.errors;
+ var pass = errors.length == 0;
- var pass = JSLINT(src, opts);
if(!pass) {
- var errors = formatOutput(JSLINT.errors, filepath);
+ errors = formatOutput(errors, filepath);
sys.print(errors.join("\n") + "\n");
}
Please sign in to comment.
Something went wrong with that request. Please try again.