[Question] Is the JS interpreter sandboxed?

[hrj]

• I've verified and I assure that I'm running youtube-dl 2017.05.18.1
• At least skimmed through README and most notably FAQ and BUGS sections
• Searched the bugtracker for similar issues including closed ones

What is the purpose of your issue?

• Bug report (encountered problems with youtube-dl)
• Site support request (request for adding support for a new site)
• Feature request (request for a new functionality)
• Question
• Other

---

When the JS from a website is interpreted by youtube-dl, is the JS sufficiently sandboxed so that:

• No local filesystem access is allowed
• No system calls and/or native library calls are allowed
• No python APIs are allowed

?

[dstftw]

JS interpreter only supports a language subset needed for interpreting YouTube JS. Nothing from aforementioned list is supported.

[hrj]

@dstftw Thanks for replying. The things I listed are not exactly language features. They are about the API surface exposed to the JS. I tried skimming through jsinterp.py with the limited understanding of python that I have, but couldn't be sure what the API surface is. It looks like there is no DOM API exposed, am I right? What about native python objects? For example, the code is using an array of objects and functions to store corresponding JS values. Is it possible to access python code through lookups on these values through JS?

[dstftw]

I've already answered: nothing you listed is possible.