Skip to content

Add comprehensive research on Node.js sandboxing capabilities#100

Merged
simonw merged 4 commits intomainfrom
claude/sandbox-worker-threads-2XYnW
Mar 22, 2026
Merged

Add comprehensive research on Node.js sandboxing capabilities#100
simonw merged 4 commits intomainfrom
claude/sandbox-worker-threads-2XYnW

Conversation

@simonw
Copy link
Owner

@simonw simonw commented Mar 22, 2026

Summary

This PR adds extensive research documentation and working examples for sandboxing untrusted JavaScript code using Node.js v22 built-in modules and third-party packages. The research covers worker_threads, the Permission Model, vm module, and npm packages like isolated-vm.

Key Changes

Documentation

  • worker-threads-sandboxing/README.md: Comprehensive guide covering Worker constructor options, resourceLimits behavior, Node.js Permission Model (now stable in v22), vm module limitations, and combined defense-in-depth approaches
  • sandbox-worker-threads/README.md: Practical investigation results with verdict on each sandboxing mechanism (resourceLimits unreliable, Permission Model effective, vm not a security boundary)
  • js-sandbox-research/README.md: Analysis of third-party packages including isolated-vm (recommended), vm2 (deprecated with 20+ CVEs), and quickjs-emscripten
  • Research notes in both directories documenting methodology and findings

Working Examples

  • 01-01f series: Tests of resourceLimits showing they do NOT effectively enforce memory limits in Node.js 22 (workers exceed stated limits by 10-20x)
  • 02-02b series: Permission Model tests confirming --experimental-permission via execArgv successfully blocks filesystem writes and child process spawning
  • 03-03b series: vm module isolation tests demonstrating the constructor escape vulnerability
  • 04: CPU timeout prevention via worker.terminate() and vm timeout
  • 05: Permission Model inheritance testing on main process
  • 06: isolated-vm integration showing true V8 isolate separation
  • 07-07f series: Combined defense-in-depth approaches (Permission Model + vm, Permission Model + isolated-vm, escape testing)

Notable Implementation Details

  • resourceLimits verdict: Guidelines rather than hard limits; ArrayBuffer allocations bypass them entirely; --max-old-space-size cannot be passed via execArgv
  • Permission Model: Now stable (not experimental) in Node.js v22.13.0+; can be applied per-worker via execArgv; provides syscall-level enforcement even if vm sandbox is escaped
  • vm module: Explicitly NOT a security mechanism; any injected function enables prototype chain escape to access process/require
  • isolated-vm: Recommended for true isolation; uses separate V8 isolates with independent heaps; requires --allow-addons permission flag
  • Combined approach: Worker + Permission Model + isolated-vm provides strongest sandboxing with filesystem restrictions, memory limits, and CPU timeouts

All examples are tested and functional on Node.js v22.22.0.

https://claude.ai/code/session_019VCn2aGgVfuSqP4qK2G4Lf

claude added 4 commits March 22, 2026 15:53
@claude
Research JS sandbox solutions for running untrusted code: isolated-vm…
e3e9b8a 
…, vm2, quickjs-emscripten, ShadowRealm, Deno Workers

https://claude.ai/code/session_019VCn2aGgVfuSqP4qK2G4Lf
@claude
Research Node.js worker_threads sandboxing capabilities for v22
4828068 
Covers Worker constructor options, resourceLimits, Permission Model
(now stable in v22), vm module limitations, and third-party packages
(isolated-vm, quickjs-emscripten). Includes verified code examples
demonstrating defense-in-depth sandboxing with Worker + Permission
Model + vm module.

https://claude.ai/code/session_019VCn2aGgVfuSqP4qK2G4Lf
@claude
Research sandboxing untrusted code with Node.js worker_threads
3b3f0c2 
Investigated filesystem, network, memory, and CPU isolation options
for running untrusted JavaScript via worker_threads on Node.js 22.

Key findings:
- resourceLimits does NOT enforce memory limits (workers exceed by 10-20x)
- Permission Model (--experimental-permission) works via worker execArgv
- vm module is NOT a security boundary (trivially escapable)
- isolated-vm provides hard memory limits, CPU timeout, and true isolation
- Permission Model blocks native addons by default (needs --allow-addons)
- Defense in depth: permission model catches vm sandbox escapes

Recommended: Worker + isolated-vm, with Permission Model as optional layer.

https://claude.ai/code/session_019VCn2aGgVfuSqP4qK2G4Lf
@claude
Update: Permission Model is stable in Node.js 22.13+ (--permission no…
ac1d653 
…t --experimental-permission)

https://claude.ai/code/session_019VCn2aGgVfuSqP4qK2G4Lf
@simonw
Copy link
Owner Author

simonw commented Mar 22, 2026

You wrote a lot of code but did not include details of exactly how you ran that code and the results you got from it in the repo - make sure the README includes detailed information on the tests you ran and what you learned from them

@simonw simonw merged commit 9209064 into main Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simonw @claude