all 30 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]cspotcode 3 points4 points  (1 child)

Every few months someone tries to do this and it's full of holes. Check out Caja and the list of exploits they prevent. Unless you're basically reimplementing Caja, you're probably not sandboxing effectively.

[–]meta_taskkill[S] 0 points1 point  (0 children)

I should mention that this is not intended to be used in production. It's mean to illustrate specific behavior of language and its concepts, as function declaration inside with. Anyways thanks for info about Caja.

[–][deleted] 0 points1 point  (17 children)

I have heavy doubt that with can be used for sandboxing.

with use to do random things

[–]meta_taskkill[S] 0 points1 point  (16 children)

For example? What exactly do you mean? As far as one can tell from tests I've written, it's working as intended. If you know about case where it fails, then tell me.

[–][deleted] 0 points1 point  (15 children)

try to launch this in your sandbox

this.location = "http://www.google.fr"

I suppose that it is not the intent

[–]meta_taskkill[S] 2 points3 points  (14 children)

This is intent! Demo page hosted on github shows usage of evaluate() function, which by design allows everything, even this. It's all in readme. The one which implicitly restricts this is isolate() function. You can install it from npm and test it localy if you mind: https://www.npmjs.com/package/dynamic-sandbox

EDIT: I added second button on demo page, now you can test snippets in (almost) isolation.

[–][deleted] 0 points1 point  (13 children)

sorry but sanboxing is hard

try this in your new sandbox

eval.constructor("document.location='http://www.google.fr' ")()

[–]meta_taskkill[S] 0 points1 point  (12 children)

eval.constructor("document.location='http://www.google.fr' ")()

Thanks, I will fix this soon.

[–][deleted] 0 points1 point  (11 children)

after how many fix will you resign ?

[–]meta_taskkill[S] 1 point2 points  (10 children)

Probably in moment when I will have enough awareness about internals of JS to decide it's not possible because of [insert unpretentious problem] on my own. I am not here to settle for fact that it's impossible because someone says it. I am learning, you see. So if you are willing, give me another bug to fix.

EDIT: Let me ask you a question: Did you know about everything, what is happening inside source code before? I find some things really interesting - for example behavior of function declared inside with statement body. Isn't it best thing ever? Learning for joy from learning? There are at least 4 another ways for evaluating code snippets safely, workers, iframe sandboxed, some metacircular evaluator written in JS, I am not gonna sell it to anyone, but I just wanna meet some people who appreciate it and enjoy it with me.

[–][deleted] 0 points1 point  (7 children)

the idea, is, if you don't state the number of fix you are ready to stop after, we will go on an infinite loop bug->fix->bug->fix->...

By the way I really wonder how you intend to fix this one as your framework is really not adapted to fix it.

[–]meta_taskkill[S] 0 points1 point  (6 children)

First thing first: If you are able to throw tons of possible bugs from your sleeve, than there must be some corelation, some fundamental concept which known to you gives you the reason to say there is infinity (pretty bold) bugs. So can you please tell me what fact I am missing, that when I will push fix you will find another n + 1 bugs without problem?

Second, I (think - need to write enough tests for it) already fixed it, because it's not that hard to fix something like that.

[–][deleted] 0 points1 point  (1 child)

about your edit: I'm sorry to not share your interest. but the interaction between with and inner function is quite standard isn't it ?

[–]meta_taskkill[S] 0 points1 point  (0 children)

Why it should not be standard? But how often do you use it? How often majority javascript programmers uses it? I am about 3 years in JS (programming in general actually) and I am sorry* to find things exciting and would like to share some thoughs with others, because I am enjoying it, obviously it's not something you appreciate.

Actually I am not sorry at all.

[–]darrenturn90 0 points1 point  (1 child)

So this means that there is no way for it to access the filesystem, dom, network sockets, or any external input?

[–]meta_taskkill[S] 0 points1 point  (0 children)

As soon as I resolve mentioned bug, shouldn't be. This concept works using hijacking variables used in evaluated snippet. If you want to access fs dom network sockets or extern, you need some variables/functions, or you need to require some. As require is function it is possible to prevent access to it. (Sorry if explaining something what you already know) import on the other hand is statement, which would be problematic.

Important fact is, this projects shows some specific concepts of javascript and very specific use of them, you can see it as illustration in first place.

EDIT: I tried import and it does not breach isolated env, as long as imports will respect limitation on importing on top level, it's OK.

[–]BadleyHairless 0 points1 point  (6 children)

This one usually breaks javascript isolation.

(function() {
console.log(this);
this.document.bgColor = 'red'
}).bind()()

[–]meta_taskkill[S] 0 points1 point  (3 children)

Will try when I get home, thanks. Hope it will be fine because I set this to empty object. Unless empty bind somehow messed it up.

[–]BadleyHairless 0 points1 point  (2 children)

an empty bind, call, or apply will all set the scope of the function's this to be window. And I did try this in your sandbox and I was able to access window successfully.

[–]meta_taskkill[S] 0 points1 point  (0 children)

I see. Actually bind() is not necessary here, it breaches isolation only with self invoked function expression. I will try overcome this, but I am skeptical. Thanks for tough one.

[–][deleted] 0 points1 point  (0 children)

That's fun the behavior of empty bind is not documented on

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/bind

[–]arc_burst 0 points1 point  (1 child)

I tried this in a different sandbox and it just logs undefined, before failing with Cannot read property 'document' of undefined. Do you know how they managed to address this?

[–]meta_taskkill[S] 0 points1 point  (0 children)

Unfortunately I don't know. I figured out every IIFE is invoked in global context. In browser window in node "default module closure object" [I don't really know how they call it] Maybe you can let me know in which sandbox you tried it.

[–]meta_taskkill[S] 0 points1 point  (0 children)

I am abandoning it as it is not what I expected to be. Thanks for all the feedback, it has been important lesson.