Terrarium is not a security sandbox and is trivially easy to exploit.
How it Works
transform: It then uses js-traverse to walk every node in the esprima-generated AST, finding comment nodes. Each comment is transformed into an instrumentation call. In node, that means using process.send.
Terrarium provides two APIs:
Terrarium.Node. They have the same
behavior on separate platforms.
- Browser runs code in a web browser by using an
iframeand calling functions in
- Node runs code in a subprocess by using .fork and calling
Terrarium.Browser is designed to be used with browserify.
Terrarium.Browser API also accepts an options object to its constructor.
The options include:
var t = ;// or var t = new Terrarium.Node();t;t;t;// later...t; // shut down
- Why not vm.runInContext: this was the previous approach. Terrarium now uses a child process because this allows it to bind to ports and effectively cancel listeners on close.
- Why not eval(): eval doesn't provide variable sandboxing, so it's easy to overwrite existing variables on your page. It also doesn't allow you to control timers.