Naivete Precedes Misrepresentation


    2.1.0 • Public • Published


    Run untrusted code as a VM in a child process

    sbx allows you to run untrusted code in a more secure manner than simply using eval() or function(). To accomplish this, a child process is forked and untrusted code is run in vm with its own context. Inside the vm the untrusted code is wrapped in a try/catch inside an anonymous function in order to capture exceptions and output. Upon completion the context is returned to the user via callback or promise

    • Code is run inside an anonymous function and should be written as such
    • Reserved variables _result, _exception, and _stdout are added to the context and should not be set by untrusted code
    • 'use strict' statements are removed from untrusted code as they cause exceptions for passed context variables



    sbx.vm( code, [options], [callback] )

    • code {String} - string of untrusted Javascript to run.
    • [options] {Object} - Options hash
      • [context] {Object} - Hash of key/value pairs that will be passed to the vm and are available to the untrusted code. previously variables
      • [lockdown=true] {Boolean} - If false, require statements will be allowed in order to use external modules
      • [timeout] {Number} - Time in milliseconds before the VM times out
      • [transform] {Function} - A function with the signature transform (code, options) that should return a string of transformed code. This can be used to transform ES6 code using babel see example
      • [parseImports=false] {Boolean} - Parse ES6+ import statements. Should be used with an ES6 source transform function and lockdown=false
    • [callback] {Function} - Error first callback with signature callback(error, context)

    Promise That resolves to an SBXContext



    • _result {any} - The return result of the executed code
    • _exception {Object} - A hash containing the error message, stack trace, and scope of where the exception was caught (the child_process or the vm)
    • _stdout {Array} - An array of stringified values from any calls made by sbx.log() inside the vm
    • [context variables] {any} - Updated context variables

    Capturing stdout

    All arguments to console methods log, error, info, trace, and warn are automatically added as items in the _stdout context variable

    You may also use the sbx.log method which is an alias for console.log


    var sbx = require('sbx')
    var code = 'x++; console.log(\'I like the number\', x);'
    var options = {
      context: { x: 7 },
      timeout: 100
    var callback = function(error, context) {
      if (error) return console.error(error)
      console.log('The value of x = ', context.x)
    sbx.vm(code, options, callback)
    // > I like the number 8
    // > The value of x = 8

    Example with external module and promise result

    var sbx = require('sbx')
    var code      = 'var _ = require("lodash"); x = _.uniq(x); return x;'
    var options = {
      context: { x: [1,1,2,2,3,4,5,6,6] },
      lockdown: false
    sbx.vm(code, options).then(function (context) {
      console.log('The value of x = ', context.x, false)
    }).catch(function (error) {
    // > The value of x = [1, 2, 3, 4, 5, 6]
    // > [1, 2, 3, 4, 5, 6]

    Example with es2015 transform via babel + logging

    var babel = require('babel-core')
    var sbx = require('sbx')
    var code = 'let fn = (msg) => msg\nsbx.log(message)\nreturn fn(message)'
    var options = {
      context: { message: 'test' },
      transform: function (code, opts) {
        return babel.transform(code, {
          presets: ['es2015', 'stage-2'],
          plugins: ['transform-runtime']
    sbx.vm(code, options).then(function(context) {
      console.log('Result = ', context._result)
    // > Result = test
    // > ['test']


    npm i sbx

    DownloadsWeekly Downloads






    Last publish


    • vbranden