Initial working commit. Specs coming soon.

README.md

@@ -0,0 +1,29 @@
+# Node Sandbox
+
+A rudimentary javascript sandbox for use with NodeJS.
+
+## Some features
+
+- Can be used to execute untrusted code.
+- Support for timeouts (e.g. prevent infinite loops)
+- Handles errors gracefully
+- Restricted code (cannot access NodeJS methods)
+
+## Example
+
+Be sure to check out example/example.js
+
+    var s = new Sandbox();
+    s.run('1 + 1 + " apples"', function(output) {
+      // output == "2 apples"
+    });
+
+## Documentation
+
+Coming soon!
+
+Basic syntax: `sandbox_instance.run(code_string, hollaback_function)`
+
+## Author
+
+Written by [Gianni Chiappetta](http://github.com/gf3) – [gf3.ca](http://gf3.ca)

example/example.js

@@ -0,0 +1,29 @@
+var sys = require("sys");
+process.mixin(GLOBAL, require("../lib/sandbox"));
+
+var s = new Sandbox();
+
+// Example 1 - Standard JS
+s.run("1 + 1", function(output) {
+  sys.puts("Example 1: " + output);
+});
+
+// Example 2 - Something slightly more complex
+s.run("(function(name) { return 'Hi there, ' + name + '!'; })('Fabio')", function(output) {
+  sys.puts("Example 2: " + output);
+});
+
+// Example 3 - Syntax error
+s.run("lol)hai", function(output) {
+  sys.puts("Example 3: " + output);
+});
+
+// Example 4 - Restricted code
+s.run("process.platform", function(output) {
+  sys.puts("Example 4: " + output);
+});
+
+// Example 5 - Infinite loop
+s.run("while (true) {}", function(output) {
+  sys.puts("Example 5: " + output);
+});

lib/sandbox.js

@@ -0,0 +1,52 @@
+// sandbox.js - Rudimentary JS sandbox
+// Gianni Chiappetta - gf3.ca - 2010
+
+/*------------------------- INIT -------------------------*/
+var sys = require("sys");
+
+/*------------------------- Sandbox -------------------------*/
+function Sandbox(options) {
+  this.options = process.mixin(process.mixin({}, Sandbox.options), options || {});
+
+  this.run = function(code, hollaback) {
+    // Any vars in da house?
+    var timer,
+        stdout = "",
+        output = function(data) {
+          if (!!data) stdout += data;
+        },
+        child = process.createChildProcess("node", [this.options.shovel]);
+
+    // Listen
+    child.addListener("output", output);
+    child.addListener("exit", function(code) {
+      if (code != 15) {
+        clearTimeout(timer);
+        hollaback.call(this, stdout);
+      }
+    });
+
+    // Go
+    child.write(code);
+    timer = setTimeout(function() {
+      child.removeListener("output", output);
+      child.kill();
+      hollaback.call(this, "TimeoutError");
+    }, this.options.timeout);
+    child.close();
+  };
+}
+
+// Options
+Sandbox.options = {
+  timeout: 500,
+  shovel: (function() {
+    var p = __filename.split("/").slice(0, -1);
+    p.push("shovel.js");
+    return p.join("/");
+  })()
+};
+
+/*------------------------- Export -------------------------*/
+exports.Sandbox = Sandbox;
+

lib/shovel.js

@@ -0,0 +1,36 @@
+// shovel.js - Do the heavy lifting in this sandbox
+// Gianni Chiappetta - gf3.ca - 2010
+
+/* ------------------------------ INIT ------------------------------ */
+var code = "",
+    reserved = {
+      require: null,
+      code: null,
+      reserved: null,
+      run: null
+    };
+
+/* ------------------------------ Sandbox ------------------------------ */
+// Generate list of reserved items
+for (var i in GLOBAL) reserved[i] = null;
+
+// Get code
+process.stdio.addListener("data", function(data) {
+  code += data;
+});
+process.stdio.addListener("close", run);
+process.stdio.open();
+
+// Run code
+function run() {
+  var output = (function() {
+    try {
+      return eval('with (reserved) { ' + code + ' }');
+    }
+    catch (e) {
+      return e.name + ': ' + e.message;
+    }
+  })();
+  process.stdio.write(output);
+  process.exit(0);
+}