usebruno
Javscript Sandbox: Safe Mode
Overview
Bruno supports execution of JavaScript code in Variables, Scripts, Tests, and Assertions. Today, we use vm2 to execute javascript.
This approach however allows the code execute system commands, access the file system and this is a security risk.
Most collections do not need to execute system commands or access the file system.
We are introducing Safe Mode to execute JavaScript code in a secure sandbox environment using isolated-vm
The user can switch to Developer Mode if the collection needs access to the file system or system commands, provided the user is aware of the security risks and trusts the source of the collection.
Mockup
The PR - https://github.com/usebruno/bruno/pull/2803 is almost ready. We are doing some testing before getting to merged to main and moving forward with a release.
@helloanoop is there a way where we can make Safe Mode to be disabled via a config flag? We use scripts always by default in our dev environment (that import libraries), and want to make sure any new developers don't run into issues related to this.
Any way to make it default to safe mode without asking whenever I create a new collection?
Making this a nag prompt on every single script opened is kinda insane.
Yes. We will consider this. An option to set either safe or developer mode as default make sense.
The issue related to setting the default mode is being tracked here: https://github.com/usebruno/bruno/issues/4779. Since the main issue has been resolved, I’m closing this one.
