nerio

A safe subset of JavaScript for running untrusted third-party code.

Nerio

Nerio is a "safe" subset of JavaScript, not unlike Adsafe, that helps you run untrusted code without allowing it access to various language and browser features.

Background

Sometimes you'd like to allow third-party code to run as part of a page or application. Unfortunately, it's hard to know what nefarious things someone else's code might do. Nerio defines a subset of JavaScript and provides some simple tools and models for checking that an arbitrary piece of JavaScript code is valid Nerio code. Static analysis has the benefit that once code is checked, it can run at full speed whether in the browser or a server-side engine. Alternatives involving JavaScript interpreters compiled to asm.js can be two orders of magnitude slower. WebWorker sandboxes require a virtual DOM, which is also potentially very slow.

Getting started

To get started with Nerio you should have the latest Node.js (including npm) installed on your system. There is a devenv script included that will install it for you on unix-like platforms. Note: you need to download node and npm directly from nodejs.org becuase the version tracked by most package managers is too old.

npm install -g git@github.com:kmacrow/Nerio.git

Then you can use nerio on the command line,

$ echo "var PI = 3.14;" | nerio

or pass it a file to check:

$ nerio samples/eval.js
Failed:
EVAL: Explicit call to eval() at 2:0
EVAL: Assignment to result of eval() at 4:8
EVAL: Assignment to result of eval() at 4:22
...

or the programmatic API:

nerio = require('nerio');
nerio.check_code(['js/script-to-check.js'], function(successerr) {
    if( !success )
        console.log(err);
    else
        console.log('Success!');
});

There is also an API compiled for use directly in the browser.

<script src="//nerio/dist/nerio.min.js"></script>
<script>
    var code = '...';
    nerio.check_code(code, function(successerr) { ... }); 
</script>