Skip to content
This repository

Update documentation to not be misleading. It's not possible to safely... #2865

Closed
wants to merge 1 commit into from

3 participants

Devin Samarin Ben Noordhuis Ben Verhees
Devin Samarin

...run untrusted code.

There was talk of a Prison module for this purpose in ~0.7+. This is only 1 single example of code which can be called with vm.runInNewContext, and exit the process.

var Func = (function() { return arguments.callee.caller })().caller.caller.caller.constructor; var fn = new Func('return process'); var process = fn(); process.exit()

Ben Noordhuis

Thanks, I'll merge it but can you sign the CLA and wrap lines at 80 characters?

Ben Verhees

@eboyjr your PR is still waiting for an updated commit message

Devin Samarin

@benverhees Thanks, but I forfeit. Maybe someone else can come along and take care of it?

Ben Noordhuis

Closing then. The caveats are reasonably well documented by now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Mar 03, 2012
Devin Samarin dsamarin Update documentation to not be misleading. It's not possible to safel…
…y run untrusted code.
b958e69
This page is out of date. Refresh to see the latest.

Showing 1 changed file with 6 additions and 6 deletions. Show diff stats Hide diff stats

  1. +6 6 doc/api/vm.markdown
12 doc/api/vm.markdown
Source Rendered
@@ -62,8 +62,8 @@ These globals are contained in the sandbox.
62 62 // { animal: 'cat', count: 3, name: 'kitty' }
63 63
64 64 Note that running untrusted code is a tricky business requiring great care. To prevent accidental
65   -global variable leakage, `vm.runInNewContext` is quite useful, but safely running untrusted code
66   -requires a separate process.
  65 +global variable leakage, `vm.runInNewContext` is quite useful for trivial purposes, but safely running
  66 +untrusted code is not possible.
67 67
68 68 In case of syntax error in `code`, `vm.runInNewContext` emits the syntax error to stderr
69 69 and throws an exception.
@@ -96,8 +96,8 @@ Note that `createContext` will perform a shallow clone of the supplied sandbox o
96 96 initialise the global object of the freshly constructed context.
97 97
98 98 Note that running untrusted code is a tricky business requiring great care. To prevent accidental
99   -global variable leakage, `vm.runInContext` is quite useful, but safely running untrusted code
100   -requires a separate process.
  99 +global variable leakage, `vm.runInContext` is quite useful for trivial purposes, but safely running
  100 +untrusted code is not possible.
101 101
102 102 In case of syntax error in `code`, `vm.runInContext` emits the syntax error to stderr
103 103 and throws an exception.
@@ -176,5 +176,5 @@ These globals are contained in the sandbox.
176 176 // { animal: 'cat', count: 12, name: 'kitty' }
177 177
178 178 Note that running untrusted code is a tricky business requiring great care. To prevent accidental
179   -global variable leakage, `script.runInNewContext` is quite useful, but safely running untrusted code
180   -requires a separate process.
  179 +global variable leakage, `script.runInNewContext` is quite useful for trivial purposes, but safely running
  180 +untrusted code is not possible.

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.