You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This allows me to use require() relative to the task-runner.js file of the wf module. Including a script from my project root would be require('../../../thescript')
I had to modify the source of this module to get require to work properly because specifying require: require in the runner sandbox modules config doesn't work.
I understand that the use of vm is for security purposes but is there a safe way to allow the use of require in task body? Perhaps allow the user to specify require in runner config with a disclaimer that doing so would lower safety?
The text was updated successfully, but these errors were encountered:
Honestly, I don't think it's a good idea to allow the use of require from tasks: what is the reason to do not require those modules in advance using wf-runner configuration?
Not to mention that we would be moving from "dangerous" to "completely unsafe" in terms of executing completely arbitrary code from vm.
I would like to be able to reuse code and reduce boilerplate in my tasks. As far as security, I don't understand how this is any less safe. Your database and file system already hold 'arbitrary' code that is run anyway. We just don't have the option to require arbitrary files for our arbitrary code. Not sure how sandboxing in this case makes anything any safer. I don't understand where malicious injection would occur otherwise.
@TomKaltz allowing a task to use require means that it could also require things like fs and, for example, fork a child process, which could mess pretty much everything regarding how wf-runner work.
Anyway, I wouldn't be opposed to add a configurable option to use require and have it disabled by default with that disclaimer you mentioned
I would like to use require() in my task body. I have found a way to hack this capability by adding...
require: require
to https://github.com/joyent/node-workflow/blob/58715e9835d80156370035354143acb2add92c86/lib/task-runner.js#L53
This allows me to use
require()
relative to the task-runner.js file of the wf module. Including a script from my project root would berequire('../../../thescript')
I had to modify the source of this module to get require to work properly because specifying
require: require
in the runner sandbox modules config doesn't work.I understand that the use of vm is for security purposes but is there a safe way to allow the use of require in task body? Perhaps allow the user to specify
require
in runner config with a disclaimer that doing so would lower safety?The text was updated successfully, but these errors were encountered: