I am the developer of a PDF manipulation framework (Origami) and I'm currently trying to integrate Johnson into it.
For instance from JS:
If util is a defined Ruby Object accessible in JS scope:
Could it be possible that you introduce some sort of flag to prevent the Ruby Object namespace to be included in global ?
Maybe also introduce some checks so that only user-defined methods are accessible from JS ?
I am not very familiar with your code base, but I was thinking about including those security checks into JSLandProxy::send_with_possible_block and modifying Runtime#initialize.
Would that be OK for you?
I will note, however, that I think @cowboyd's therubyracer already has such controls built in, so that might be worth a look for your use case.
One area where you need to be careful if you're executing untrusted code is something hogging the CPU. The Ruby Racer does not currently support timeboxing operations. V8 does support this, but I have not yet wired it up because it involves some trickly locking shenanigans. It will eventually, but not yet, and I don't want to give you the impression that it does.
If JRuby is an option, then you might want to have a look at therubyrhino which does allow you to constrain both the memory AND the CPU.
@matthewd Thanks for the help on #rubinius the other day. I was wondering if you might want to compare notes on managing interaction between two garbage collectors at some point. I think it's a pretty niche area and I'd like to hear your thoughts.