sandbox 0.8.6 → 1.0.0-beta.1

package/example/example.js

@@ -1,64 +0,0 @@
-var Sandbox = require("../lib/sandbox")
-  , s = new Sandbox()
-
-// Example 1 - Standard JS
-s.run( "1 + 1", function( output ) {
-  console.log( "Example 1: " + output.result + "\n" )
-})
-
-// Example 2 - Something slightly more complex
-s.run( "(function(name) { return 'Hi there, ' + name + '!'; })('Fabio')", function( output ) {
-  console.log( "Example 2: " + output.result + "\n" )
-})
-
-// Example 3 - Syntax error
-s.run( "lol)hai", function( output ) {
-  console.log( "Example 3: " + output.result + "\n" )
-});
-
-// Example 4 - Restricted code
-s.run( "process.platform", function( output ) {
-  console.log( "Example 4: " + output.result + "\n" )
-})
-
-// Example 5 - Infinite loop
-s.run( "while (true) {}", function( output ) {
-  console.log( "Example 5: " + output.result + "\n" )
-})
-
-// Example 6 - Caller Attack Failure
-s.run( "(function foo() {return foo.caller.caller;})()", function( output ) {
-  console.log( "Example 6: " + output.result + "\n" )
-})
-
-// Example 7 - Argument Attack Failure
-s.run( "(function foo() {return [].slice.call(foo.caller.arguments);})()", function( output ) {
-  console.log( "Example 7: " + output.result + "\n" )
-})
-
-// Example 8 - Type Coersion Attack Failure
-s.run( "(function foo() {return {toJSON:function x(){return x.caller.caller.name}}})()", function( output ) {
-  console.log( "Example 8: " + output.result + "\n" )
-})
-
-// Example 9 - Global Attack Failure
-s.run( "x=1;(function() {return this})().console.log.constructor('return this')()", function( output ) {
-  console.log( "Example 9: " + output.result + "\n" )
-})
-
-// Example 10 - Console Log
-s.run( "var x = 5; console.log(x * x); x", function( output ) {
-  console.log( "Example 10: " + output.console + "\n" )
-})
-
-// Example 11 - IPC Messaging
-s.run( "onmessage = function(message){ if (message === 'hello from outside') { postMessage('hello from inside'); };", function(output){
-  
-})
-s.on('message', function(message){
-  console.log("Example 11: received message sent from inside the sandbox '" + message + "'\n")
-});
-var test_message = "hello from outside";
-console.log("Example 11: sending message into the sandbox '" + test_message + "'");
-s.postMessage(test_message);
-

package/lib/sandbox.js

@@ -1,124 +0,0 @@
-//-----------------------------------------------------------------------------
-// Init
-//-----------------------------------------------------------------------------
-
-var fs           = require('fs');
-var path         = require('path');
-var spawn        = require('child_process').spawn;
-var util         = require('util');
-var EventEmitter = require('events').EventEmitter;
-
-//-----------------------------------------------------------------------------
-// Constructor
-//-----------------------------------------------------------------------------
-
-function Sandbox(options) {
-  var self = this;
-  
-  // message_queue is used to store messages that are meant to be sent
-  // to the sandbox before the sandbox is ready to process them
-  self._ready = false;
-  self._message_queue = [];
-  
-  self.options = {
-    timeout: 500,
-    node:    'node',
-    shovel:  path.join(__dirname, 'shovel.js')
-  };
-
-  self.info = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json')));
-}
-
-// Make the Sandbox class an event emitter to handle messages
-util.inherits(Sandbox, EventEmitter);
-
-
-//-----------------------------------------------------------------------------
-// Instance Methods
-//-----------------------------------------------------------------------------
-
-Sandbox.prototype.run = function(code, hollaback) {
-  var self = this;
-  var timer;
-  var stdout = '';
-  self.child = spawn(this.options.node, [this.options.shovel], { stdio: ['pipe', 'pipe', 'pipe', 'ipc'] });
-  var output = function(data) {
-    if (!!data) {
-      stdout += data;
-    }
-  };
-
-  if (typeof hollaback == 'undefined') {
-    hollaback = console.log;
-  } else {
-    hollaback = hollaback.bind(this);
-  }
-
-  // Listen
-  self.child.stdout.on('data', output);
-
-  // Pass messages out from child process
-  // These messages can be handled by Sandbox.on('message', function(message){...});
-  self.child.on('message', function(message){
-    if (message === '__sandbox_inner_ready__') {
-      
-      self.emit('ready');
-      self._ready = true;
-      
-      // Process the _message_queue
-      while(self._message_queue.length > 0) {
-        self.postMessage(self._message_queue.shift());
-      }
-
-    } else {
-      self.emit('message', message);
-    }
-  });
-  
-  self.child.on('exit', function(code) {
-    clearTimeout(timer);
-    setImmediate(function(){
-      if (!stdout) {
-        hollaback({ result: 'Error', console: [] });
-      } else {
-        var ret;
-        try {
-          ret = JSON.parse(stdout);
-        } catch (e) {
-          ret = { result: 'JSON Error (data was "'+stdout+'")', console: [] }
-        }
-        hollaback(ret);
-      }
-    });
-  });
-
-  // Go
-  self.child.stdin.write(code);
-  self.child.stdin.end();
-  
-  timer = setTimeout(function() {
-    self.child.stdout.removeListener('output', output);
-    stdout = JSON.stringify({ result: 'TimeoutError', console: [] });
-    self.child.kill('SIGKILL');
-  }, self.options.timeout);
-};
-
-// Send a message to the code running inside the sandbox
-// This message will be passed to the sandboxed 
-// code's `onmessage` function, if defined.
-// Messages posted before the sandbox is ready will be queued
-Sandbox.prototype.postMessage = function(message) {
-  var self = this;
-  
-  if (self._ready) {
-    self.child.send(message);
-  } else {
-    self._message_queue.push(message);
-  }
-};
-
-//-----------------------------------------------------------------------------
-// Export
-//-----------------------------------------------------------------------------
-
-module.exports = Sandbox;

package/lib/shovel.js

@@ -1,113 +0,0 @@
-var util = require('util');
-var vm   = require('vm');
-
-//-----------------------------------------------------------------------------
-// Sandbox
-//-----------------------------------------------------------------------------
-
-var code    = '';
-var stdin   = process.openStdin();
-var result;
-var console = [];
-
-// Get code
-stdin.on('data', function(data) {
-  code += data;
-});
-stdin.on('end', run);
-
-function getSafeRunner() {
-  var global = this;
-  // Keep it outside of strict mode
-  function UserScript(str) {
-    // We want a global scoped function that has implicit returns.
-    return Function('return eval('+JSON.stringify(str+'')+')');
-  }
-  // place with a closure that is not exposed thanks to strict mode
-  return function run(comm, src) {
-    // stop argument / caller attacks
-    "use strict";
-    var send = function send(event) {
-      "use strict";
-      //
-      // All comm must be serialized properly to avoid attacks, JSON or XJSON
-      //
-      comm.send(event, JSON.stringify([].slice.call(arguments,1)));
-    };
-
-    global.print = send.bind(global, 'stdout');
-    global.console = { log: send.bind(global, 'stdout') };
-    global.process = { 
-      stdout: { write: send.bind(global, 'stdout') }
-    };
-    global.postMessage = send.bind(global, 'message');
-
-    // This is where the user's source code is actually evaluated
-    var result = UserScript(src)();
-    send('end', result);
-  }
-};
-
-// Run code
-function run() {
-
-  var context = vm.createContext();
-  var safeRunner = vm.runInContext('('+getSafeRunner.toString()+')()', context);
-  
-  try {
-    safeRunner({
-      send: function (event, value) {
-        "use strict";
-
-        switch (event) {
-          case 'stdout':
-            console.push(JSON.parse(value)[0]);
-            break;
-          case 'end':
-            result = JSON.parse(value)[0];
-            break;
-          case 'message':
-            process.send(JSON.parse(value)[0]);
-            break;
-          default:
-            throw new Error('Unknown event type');
-        }
-      },
-      exit: function(){
-        processExit();
-      }
-    }, code);
-  }
-  catch (e) {
-    result = e.name + ': ' + e.message;
-    // throw e;
-  }
-
-  process.on('message', processMessageListener.bind(null, context));
-  
-  process.send('__sandbox_inner_ready__');
-
-  // This will exit the process if onmessage was not defined
-  checkIfProcessFinished(context);
-};
-
-function processMessageListener(context, message){
-  vm.runInContext('if (typeof onmessage === "function") { onmessage('+ JSON.stringify(String(message)) + '); }', context);
-  checkIfProcessFinished(context);
-};
-
-function checkIfProcessFinished(context) {
-  if(vm.runInContext('typeof onmessage', context) !== 'function') {
-    processExit();
-  }
-};
-
-function processExit() {
-  process.removeListener('message', processMessageListener);
-
-  process.stdout.on('finish', function() {
-    process.exit(0);
-  });
-
-  process.stdout.end(JSON.stringify({ result: util.inspect(result), console: console }));
-};

package/test/sandbox.js

@@ -1,119 +0,0 @@
-//-----------------------------------------------------------------------------
-// Init
-//-----------------------------------------------------------------------------
-
-var should  = require('should');
-var sinon   = require('sinon');
-var Sandbox = require('../lib/sandbox');
-
-//-----------------------------------------------------------------------------
-// Tests
-//-----------------------------------------------------------------------------
-
-describe('Sandbox', function() {
-  var sb;
-  beforeEach(function(){
-    sb = new Sandbox();
-  });
-
-  it('should execute basic javascript', function(done) {
-    sb.run('1 + 1', function(output) {
-      output.result.should.eql('2');
-      done();
-    });
-  });
-
-  it('should gracefully handle syntax errors', function(done) {
-    sb.run('hi )there', function(output) {
-      output.result.should.eql("'SyntaxError: Unexpected token )'");
-      done();
-    });
-  });
-
-  it('should effectively prevent code from accessing node', function(done) {
-    sb.run('process.platform', function(output) {
-      output.result.should.eql("null");
-      done();
-    });
-  });
-
-  it('should effectively prevent code from circumventing the sandbox', function(done) {
-    sb.run("var sys=require('sys'); sys.puts('Up in your fridge')", function(output) {
-      output.result.should.eql("'ReferenceError: require is not defined'");
-      done();
-    });
-  });
-
-  it('should timeout on infinite loops', function(done) {
-    sb.run('while ( true ) {}', function(output) {
-      output.result.should.eql('TimeoutError');
-      done();
-    });
-  });
-
-  it('should allow console output via `console.log`', function(done) {
-    sb.run('console.log(7); 42', function(output) {
-      output.result.should.eql('42');
-      output.console[0].should.eql(7);
-      done();
-    });
-  });
-
-  it('should allow console output via `print`', function(done) {
-    sb.run('print(7); 42', function(output) {
-      output.result.should.eql('42');
-      output.console[0].should.eql(7);
-      done();
-    });
-  });
-
-  it('should maintain the order of sync. console output', function(done) {
-    sb.run('console.log("first"); console.log("second"); 42', function(output) {
-      output.result.should.eql('42');
-      output.console[0].should.eql('first');
-      output.console[1].should.eql('second');
-      done();
-    });
-  });
-
-  it('should expose the postMessage command to the sandboxed code', function(done){
-    var messageHandler = sinon.spy();
-    sb.on('message', messageHandler);
-    sb.run('postMessage("Hello World!");', function(output){
-      messageHandler.calledOnce.should.eql(true);
-      messageHandler.calledWith('Hello World!').should.eql(true);
-      done();
-    });
-  });
-
-  it('should allow sandboxed code to receive messages sent by postMessage from the outside by overwriting the onmessage function', function(done){
-    var messageHandler = sinon.spy();
-    sb.on('message', messageHandler);
-    sb.on('ready', function () {
-      sb.postMessage('Hello World!');
-    });
-    sb.run('onmessage = function (msg) { postMessage(msg); };', function(output) {
-      messageHandler.callCount.should.eql(1);
-      messageHandler.calledWith('Hello World!').should.eql(true);
-      done();
-    });
-  });
-  
-  it('should queue messages posted before the sandbox is ready and process them once it is', function(done){
-    var messageHandler = sinon.spy();
-    var num_messages_sent = 0;
-    var interval = setInterval(function(){
-      sb.postMessage(++num_messages_sent);
-    }, 1);
-    sb.on('message', messageHandler);
-    sb.run('onmessage = function (msg) { postMessage(msg); };', function(output) {
-      messageHandler.callCount.should.eql(num_messages_sent);
-      num_messages_sent.should.be.greaterThan(0);
-      done();
-    });
-    sb.on('ready', function(){
-      clearInterval(interval);
-    });
-  });
-
-});

package/tmp.js

@@ -1,8 +0,0 @@
-var Sandbox = require("./lib/sandbox")
-  , s = new Sandbox()
-
-// Example 10 - Console Log
-s.run( "var x = 5; console.log(x * x); console.log('pewpew');  x", function( output ) {
-  console.log( "Example 10: " + output.console + "\n" )
-})
-