Answer the question
In order to leave comments, you need to log in
S
S
starwars9isgreatlol2020-01-23 09:33:51
starwars9isgreatlol, 2020-01-23 09:33:51
How to isolate(sandbox) part of an application in nodejs?
Hello, I decided to start a pet project for learning and entertainment, something like cms.
For development, I decided to take nodejs and vue
. The task was to somehow isolate untrusted code from clients from trusted code.
For example
<template>
<component :is="component" v-for="component in page" />
</template>
<script>
export default {
async serverPrefetch() {
//Получаем список компонентов для страницы
const data = axois.get('/page/' + this.userId)
//Возвращаем компоненты, загружая их из папки пользователя
this.page = data.map(component => {
return () => import('~/UNTRUSTED_CODE/'+ this.userId +'/components/' + component + '.vue')
})
},
}
</script>That is, the user can edit files inside his folder /UNTRUSTED_CODE/$userId/
And since I want to do server rendering, it turns out that I need to execute untrusted code on the server
that can read files, make white (true), in general, this is a hole
Is it possible how to isolate such code from the main application?
That is, when reading files, only the folder of this user would be read.
So that the user cannot read other sources, for example, the code above.
So that when memory overflows or endless recursion does not fall, the entire application would not fall.
Trusted code must somehow interact with untrusted
Google about sandboxes like vm2, but they are unreliable, I have no experience with docker
What are the general approaches to this?
Thank you!
1 answer(s)
@Robur
Run in a separate process with limited privileges. But still - to make a real sandbox is very difficult.
Another question is that, as you want, you don’t need to do it at all.
If it is cms, then the user should manage the content and not the code.
If the user really needs to manage the code, then virtual machines and custom servers are your way. You can make pre-installed docker files, for example, where the entire environment is already deployed and additional user files are simply copied, or something else to come up with, as far as knowledge and imagination are enough.
Although, if you yourself write a real sandbox to execute individual nodejs files there, then this project will be noticeably cooler than some cms.
R
Robur, 2020-01-23 @Robur
Is it possible to somehow isolate such code from the main application?
That is, when reading files, only the folder of this user would be read.
So that the user cannot read other sources, for example, the code above.
So that when memory overflows or endless recursion does not fall, the entire application would not fall.
Run in a separate process with limited privileges. But still - to make a real sandbox is very difficult.
Another question is that, as you want, you don’t need to do it at all.
If it is cms, then the user should manage the content and not the code.
If the user really needs to manage the code, then virtual machines and custom servers are your way. You can make pre-installed docker files, for example, where the entire environment is already deployed and additional user files are simply copied, or something else to come up with, as far as knowledge and imagination are enough.
Although, if you yourself write a real sandbox to execute individual nodejs files there, then this project will be noticeably cooler than some cms.
Similar questions
A
K
M
I
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question