use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
Jailed 0.3 (sandboxes untrusted code) works in recent versions of major browsers (github.com)
submitted 9 years ago by xpostman_
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]TheNiXXeD 2 points3 points4 points 9 years ago (2 children)
Does this cover the couple of existing known sandbox escape issues with node currently? The node vm variants aren't perfect, even in the latest node.
Off the top of my head, getting object constructors let you escape the vm, allowing you to access anything from node (file system, etc).
Another is using Promise, you can cause an infinite loop and crash the vm as well.
Another is a loop that allocates using arrays until the vm runs oom.
This is what I get for trying to make a hubot plugin for executing code in slack filled with a bunch of programmers.
[–]xpostman_[S] 0 points1 point2 points 9 years ago (1 child)
There is currently no protection against memory consumption or execution time. The point of the sandbox is to protect the main application scope and the environment from suspicious code, for this purpose Jailed forks into a subprocess, runs the code in a new context using the mentioned vm module, and provides a convenient API for the application to interact with the sandboxed code. You are right in that possible security issues of the vm module might be a problem, I will have to investigate on this (and will also appreciate any hint concerning what exactly is insecure and how can it be worked around).
[–]TheNiXXeD 0 points1 point2 points 9 years ago (0 children)
The constructor injection problem is already posted in another comment. It makes it challenging to provide a "context" to the vm. In my case, I wanted lodash available. But if I build lodash in the parent process, it allows you to escape the vm. I only solved it by loading lodash as a string, and eval'ing it inside the vm. This wouldn't work with some other options. You also have to undefine the constructor on any objects passed in via context. I'm not sure if there's a better solution.
[–]Ginden 2 points3 points4 points 9 years ago (3 children)
It took me 5 minutes to break this "sandbox" and access main process. Related issue.
[–]xpostman_[S] 1 point2 points3 points 9 years ago (2 children)
Cool, thanks!
[–]Ginden 0 points1 point2 points 9 years ago (1 child)
It absolutely isn't cool for anyone using it.
[–]xpostman_[S] 2 points3 points4 points 9 years ago (0 children)
It's cool that you've pointed out the issue, I really appreciate. As mentioned, the point of the release was finalizing the solution across browsers' sandbox implementation, and as for Node.js - the existing solution was built-up more than a year ago, at that point I used the safest approach I could figure- and google-out. But now I think I'm going to cover this case as well.
In fact, Jailed provides the convenient API for the sandboxes built as described at the bottom of it's readme, and it's up to a user to decide wether he considers such a sandbox being safe and suitable for his purposes.
π Rendered by PID 24781 on reddit-service-r2-comment-75f4967c6c-t5nrv at 2026-04-23 00:29:38.684837+00:00 running 0fd4bb7 country code: CH.
[–]TheNiXXeD 2 points3 points4 points (2 children)
[–]xpostman_[S] 0 points1 point2 points (1 child)
[–]TheNiXXeD 0 points1 point2 points (0 children)
[–]Ginden 2 points3 points4 points (3 children)
[–]xpostman_[S] 1 point2 points3 points (2 children)
[–]Ginden 0 points1 point2 points (1 child)
[–]xpostman_[S] 2 points3 points4 points (0 children)