My notes on "The security concerns of a JavaScript sandbox with the Node.js VM module"

My notes on The security concerns of a JavaScript sandbox with the Node.js VM module

Eval is bad, right? But then, what are the alternatives?

Node has a vm module that feels like a modern-day eval alternative: you pass in code and a context object and it runs the code:

vm.runInNewContext('count += 1; name = "kitty"', contextObject);

But: is it secure?

Short answer: no.

On the documentation page on the Node built-in vm module it says:

The node:vm module is not a security mechanism. Do not use it to run untrusted code.

I was wondering why? What are the possible attack vectors that the vm module does not protect against?

The article provides 2 examples.

The first is a trivial denial-of-service attack: the user-provided script might never terminate:

while(true) {}

While this can shut down a server, in theory it's possible to protect against it:

• use the timeout option to forcibly terminate the code
• deny the offending user from submitting another code

The next attack from the article is more serious: it allows arbitrary code execution by getting a reference to the Function object via this.constructor.constructor:

this.constructor.constructor('console.log(process.env)')()

This allows accessing anything in the running process.

If users are allowed to run custom code, they have complete access to the Node.js server runtime and can spawn processes, access the file system, and more.

So, vm is not secure. What is?

There is a project called isolated-vm that tries to be that:

This allows you to create JavaScript environments which are completely isolated from each other.

The downside is that it's in maintenance mode which for a security product does not evoke much confidence.

To me it seems like it's still an open problem without any clear solutions.