vmbox
vmbox is a security sandbox
born to solve the insecureness of node's vm module, which can be used to run untrusted js code
Node provides a vm module to run js code, but it is not safe and cannot be used to run untrusted code.
The vm module is not a security mechanism. Do not use it to run untrusted code
The community has provided vm2 with the ability to run unsafe code and to defend against all known attack methods. But the problem of asynchronous endless loop still exists.
vmbox uses child process isolation and encapsulates vm2 to solve the problem of asynchronous endless loop.
Feature
- forced exit in an endless loop (kill child process in an endless loop)
- cross-process function call (using IPC cross-process call function)
- functions call each other (inter-function calls with the help of context)
- internal task queue
- process autonomy (killed since startup)
- return promise
Installation
npm install vmbox --save
Quickstart
const VMBox = ;const vmBox = timeout: 100 asyncTimeout: 500; const fn = `a = 10`;vmBox// 打印10
timeout
is the limit execution time for synchronous code, default 100ms
asyncTimeout
is the limit execution time for asynchronous code, default 500ms
Documentation
background
There are a large number of independent js functions in the project that are converted into APIs to provide external services and provided to multiple project calls. It was decided to use the idea of faas to transform the functions into API services. vmbox is the core function of building a simple faas without a cloud vendor.
Project survey found that the current nodejs provided vm and community vm2 are some problems for the security and stability of the service, to vm2 conducted business package.
vmbox is used to run online services, so the function is required to be as single as possible and less dependent, to ensure that vmbox reduces timeouts (restarting processes requires a large amount of cpu resources) and good performance.
vm2
vm2 is very powerful, vmbox encapsulates the most basic functions of vm2, only supports context function injection, and does not support node built-in modules and custom modules.
// innernal vm2 usageconst VM = ;const vm = timeout sandbox ;const result = await vm;
usage
The vmbox instance has only one run
method, and the return value is apromise
, receiving three parameters
param name | type | required | default | introduction |
---|---|---|---|---|
code | string | true | - | js code to run |
context | object | false | {} | function execution context |
stack | boolean | false | false | call other functions within the function and record the function call stack |
If the code runs incorrectly, an exception will be thrown by Promise.reject (error), and the exception needs to be caught
basic usage
const VMBox = ;const vmBox = timeout: 100 asyncTimeout: 500; const context = { return a + b; } const fn = `sum(2, 3)` vmBox// log 5
advanced usage
There are many things you can do with the help of a function execution context. Here is a method that calls other functions from inside the function.
const VMBox = ;const vmBox = timeout: 100 asyncTimeout: 500; const fnGroup = sum: `async function main({params, fn}){ const {a, b} = params; return a + b }` caller: `async function main({params, fn}){ return await fn.call('sum', params); }`; { const runCode = code + `;\n(async () => { return await main({params, fn}); })()` return vmBox;} const fn = { const code = fnGroupname; if code return ; else return null; } const context = fn params: a: 10 b: 20 const code = fnGroupcaller;try const res = await ; console; // 打印30 catch error console;
If the functions call each other, a closed loop of calls may be formed. If the running is not completed for 500ms, the execution child process will be killed and a new child process will be started.
principle
Func_Service
is a serviceWorker
和Runner
are part of vmboxWorker
run in the main processRunner
runs in a child process, the environment in which untrusted code runs
contributing
This repository is used to build faas service. It is currently used in online projects. If you find a problem during use, you can submit an issue and we will fix it as soon as possible. If you have good suggestions for modification, you can submit a pull request, including issue and solution.