

Ask HN: What options are there for executing untrusted code in Node.js? - thomasfoster96

Over the past couple of weeks while prototyping various ideas I&#x27;ve kept on running into a hurdle when it comes to trying to run untrusted JavaScript code in Node.JS.<p>One solution I found early on was Sandbox (http:&#x2F;&#x2F;gf3.github.io&#x2F;sandbox&#x2F;), which seems to be fairly safe security wise, but doesn&#x27;t offer much else.<p>Node.JS also has a vm module (http:&#x2F;&#x2F;nodejs.org&#x2F;api&#x2F;vm.html), but it it is &#x27;Unstable&#x27;.<p>I&#x27;ve also come across sandboxed-module (https:&#x2F;&#x2F;github.com&#x2F;felixge&#x2F;node-sandboxed-module), however I can&#x27;t figure out what it actually does, and also js.js (https:&#x2F;&#x2F;github.com&#x2F;jterrace&#x2F;js.js), but it&#x27;s much too slow to be of much use.<p>So, does anyone else know of any other solutions?
======
egfx
I never ended up using it but take a look at
[https://code.google.com/p/google-
caja/wiki/JsHtmlSanitizer](https://code.google.com/p/google-
caja/wiki/JsHtmlSanitizer)

and there is a node wrapper here [https://www.npmjs.org/package/google-
caja](https://www.npmjs.org/package/google-caja)

Funny about Node Sandbox. I was fluctuating from grasping it completely to
asking wtf is this myself, lol.

~~~
thomasfoster96
I'll have a look at Google Caja, thanks.

------
fabulist
Perhaps if those tools aren't meeting your needs, you could run the Node
interpreter in a sandbox, instead.

------
arghbleargh
What about Sandbox doesn't suit your needs?

~~~
thomasfoster96
It'd be great to be able to access the scope of the sandboxed code from the
script using the sandbox. I vaguely remember another sandbox-like project
having this as a feature, but I can't remember the project name.

Sandbox doesn't really offer much in this department except for concatenating
variable declarations to the start of the untrusted code, which isn't exactly
nice to work with.

