evel
evel copied to clipboard
natevw
Other options / related work
https://developers.google.com/caja/ — "The Caja Compiler is a tool for making third party HTML, CSS and JavaScript safe to embed in your website."
https://code.google.com/p/mentaljs/ — "I want to execute within the window but prevent sandboxed code from writing to native objects."
https://github.com/mmckegg/notevil - "Unlike built-in [eval], there is no access to global objects, only the context that is passed in as the second object."
https://github.com/tildeio/oasis.js - "a pleasant API for safe communication with untrusted code in sandboxed iframes." Oasis is a strong candidate, built by some really smart people. It sandboxes via an iframe or optionally a webworker. Executed code is acquired via a url, making injection of raw javascript a bit tricky. See this issue: https://github.com/tildeio/oasis.js/issues/76#issuecomment-31262361
https://github.com/substack/vm-browserify - "Emulate node's vm module for the browser."
https://github.com/eligrey/jsandbox - "A JavaScript sandboxing library that uses web worker threads"
Oh hello. html5 sandbox attribute on iframes. (this is how oasis.js does it)
http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
http://www.html5rocks.com/static/demos/evalbox/index.html
https://github.com/jterrace/js.js - "js.js is a JavaScript interpreter in JavaScript. Instead of trying to create an interpreter from scratch, SpiderMonkey is compiled into LLVM and then emscripten translates the output into JavaScript." Slow down is reportedly 200x
https://github.com/NeilFraser/JS-Interpreter - "A sandboxed JavaScript interpreter in JavaScript."
https://github.com/js-js/js.js/ - is really really WIP but a project worth taking a look at. JIT-compiles and runs js.
I made a thing https://github.com/kumavis/iframe-sandbox - creates a sandboxed iframe with methods for eval and writing to document body
https://github.com/tc39/proposal-realms (UPDATE: and related https://github.com/tc39/proposal-ses, via https://github.com/denoland/deno/issues/1639#issuecomment-574402678 and as I'm catching up also mentioned below)
nowadays I'm using SecureEcmaScript (SES), based on the Realms shim
I'm using it in my secure app builds project LavaMoat
Here's the kernel of how the realms shim works, quite clever.
The first arguments[0] is a Proxy that enforces the endowments whitelist (it will throw an error if you try to lookup something not in the internal scope of the eval statement and not on the endowments whitelist). The second arguments[0] is the code to be eval'd.
with (arguments[0]) {
${optimizer}
return function() {
'use strict';
return eval(arguments[0]);
};
}
from https://github.com/Agoric/realms-shim/blob/69077083141a87d84007a9d8ab9df4af7103f0bf/src/evaluators.js#L61-L67
@kumavis Clever indeed! I had wondered if with could be somehow used but couldn't quite see it working out and ended up writing it off since it wasn't available in strict mode anyway. But they've managed to build it up in a hybrid of a strict island within what they call "sloppy" mode. And then using that to have every global access run through their own accessor 😍
In a sense we're both blocking global access, but evel does it with a brute-force "grab all the names" in an ES5-only way; they combine an ancient non-strict JS oddity with the new ES7 Proxy to MITM all global access. My hat's off to them, and thank you for sharing!