问题
I'm using nodejs as a middle-man between a client browser and the server to handle all the requests. I'm trying to use nodejs as a filter tool and highlight (if not) all malicious scripts. But I realize that nodejs let the script to run with the current environment privilege. So, I decide to run it in a new context by installing sandbox (npm install sandbox or git clone git://github.com/gf3/sandbox.git).
However when I run node I have this following error:
TypeError: Cannot call method \'runInNewContext\' of undefined'
Any ideas anyone?
回答1:
Have you looked at the inbuild sandbox abilities of node 0.4.6.
var localVar = 123,
usingscript, evaled,
vm = require('vm');
usingscript = vm.runInThisContext('localVar = 1;',
'myfile.vm');
console.log('localVar: ' + localVar + ', usingscript: ' +
usingscript);
evaled = eval('localVar = 1;');
console.log('localVar: ' + localVar + ', evaled: ' +
evaled);
// localVar: 123, usingscript: 1
// localVar: 1, evaled: 1
回答2:
I've never used it, but apparently there's an npm module for this: sandbox:
A nifty javascript sandbox for node.js
Some features
- Can be used to execute untrusted code.
- Support for timeouts (e.g. prevent infinite loops)
- Support for memory errors (and memory errors)
- Handles errors gracefully
- Restricted code (cannot access node.js methods)
- Supports console.log and print utility methods
- Supports interprocess messaging with the sandboxed code
This is referenced by the bug report on runThisInContext flagging up that it is not secure mentioned by broofa in a comment on another answer saying to use runThisInContext.
来源:https://stackoverflow.com/questions/5748985/nodejs-in-sandbox