How do You handle (malicious):
- infinite (or very long) loops?
- huge memory consumption?
On Thursday, January 17, 2013 1:24:58 AM UTC+4, Gustavo Machado wrote:
>
> Hello,
>
> We are building a platform that is oriented to developers in node.js, and
> we are in the process of evaluating giving
There was such a project, about a two years ago - it allowed to create
server-side js applications, but it was bought by some bigger company. Sad
- I don't remember its name, nor the company that consumed it.
Would be interesting to know how they solved that task.
On Thursday, January 17, 2013
Hmm, after reading the explanation of Bradley Meck I believe the answer to
the question "can I run JS safely on the server" for most cases is - "no,
You can't, it's too complex" (not even saying about the performance).
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.co
Maybe there are projects that use safe interpreter to run subset of JS (it
will run maybe ten or hundred times slower than JS, but sometimes it's ok)?
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this
You can run it perfectly safely, but always understand you want the OS for
protection. That is the first line, not a module.
Now running something with shared code... harder, but SES shows promise and
does what I mentioned using wrappers; hopefully, we will see it usable in
both browser and Nod
run code in Rhino | MongoDB | Wakanda Server
No?
четверг, 17 января 2013 г., 23:45:59 UTC+2 пользователь Alexey Petrushin
написал:
>
> Maybe there are projects that use safe interpreter to run subset of JS (it
> will run maybe ten or hundred times slower than JS, but sometimes it's ok)?
>
--
Why won't require('vm') with strict mode work?
Let's assume that no while(1) loops will be run. And of course, you cannot
statically determine every script that will end up running forever, never
mind which functions will take an unnecessary amount of resources.
On Wednesday, January 16, 2013 2
Austin: won't go into great detail, but heres a fun little example:
```javascript
function exploit() {
console.log.constructor("process.exit(42)")();
}
var result = require('vm').runInNewContext([
'"use strict";',
'('+exploit.toString()+')()'
].join('\n'), {console:console});
console.log('I
I'd call this a bug, none of the context is supposed to be shared,
including Function and Object.
On Friday, January 18, 2013 12:15:38 PM UTC-7, Bradley Meck wrote:
>
> Austin: won't go into great detail, but heres a fun little example:
>
> ```javascript
> function exploit() {
> console.log.con
Austin
: https://github.com/joyent/node/issues/2486
https://github.com/joyent/node/issues/3042
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups
Yes, or write a DSL.
But we can write a JavaScript interpreter in JavaScript itself...
JavaScript doing JavaScript ;-)
On Thu, Jan 17, 2013 at 6:45 PM, Alexey Petrushin <
alexey.petrus...@gmail.com> wrote:
> Maybe there are projects that use safe interpreter to run subset of JS (it
> will run mayb
SES just JavaScript at essentially full speed.
On Thu, Jan 17, 2013 at 1:45 PM, Alexey Petrushin
wrote:
> Maybe there are projects that use safe interpreter to run subset of JS (it
> will run maybe ten or hundred times slower than JS, but sometimes it's ok)?
>
> --
> Job Board: http://jobs.nodejs
s/just/runs/
On Thu, Jan 17, 2013 at 1:51 PM, Mark S. Miller wrote:
> SES just JavaScript at essentially full speed.
>
> On Thu, Jan 17, 2013 at 1:45 PM, Alexey Petrushin
> wrote:
>> Maybe there are projects that use safe interpreter to run subset of JS (it
>> will run maybe ten or hundred time
Assuming you get the script in advance and you have time before running it
(user submits it), I would go with the uglify approach. I would then right a
new script using vm and would run it using child_process. I would check if it
lasts longer than expected. If ok, then save it and run it later w
Ex:
# the exploit
```js
..whatever
```
1. Run thru uglify and check if it calls require.
2. Write a script (maybe based on a template) that would load the "exploit"
using a vm and without any context.
```js
require('vm').runInNewContext([
'"use strict";',
'('+exploit.toString()+')()'
].join
See my earlier post with OS security and the various things about it. Even
in a child process you can wreak havoc. Also, you need to pass in some sort
of context or get some sort of output for you to do anything of value. It
needs to be made into a string, fire some function, return a value, or
16 matches
Mail list logo
