-
Notifications
You must be signed in to change notification settings - Fork 313
1.x and 2.x docs
Buffer class is no longer globally available by default in NodeVM. To make Buffer accessible globaly, enable require option and make sure buffer module is whitelisted. More info in Known Issues.
VM is a simple sandbox, without require feature, to synchronously run an untrusted code. Only JavaScript built-in objects are available.
Options:
-
timeout- Script timeout in milliseconds. -
sandbox- VM's global object. -
language-javascript(default) orcoffeescript
var VM = require('vm2').VM;
var options = {
timeout: 1000,
sandbox: {}
};
var vm = new VM(options);
vm.run("process.exit()"); // throws ReferenceError: process is not definedYou can also retrieve values from VM.
var number = vm.run("1337"); // returns 1337IMPORTANT: Timeout is only effective on code you run through run. Timeout is NOT effective on any method returned by VM.
Unlike VM, NodeVM lets you require modules same way like in regular Node's context.
Options:
-
console-inheritto enable console,redirectto redirect to events,offto disable console (default:inherit) -
sandbox- VM's global object -
language-javascript(default) orcoffeescript -
require-trueto enablerequiremethod (default:false) -
requireExternal-trueto enablerequireof external modules (default:false) -
requireNative- Array of allowed native modules. (default: all available) -
requireRoot- Restricted path where local modules can be required (default: every path) -
useStrict- Whether to adduse strictdirective to required modules (default:true)
Available modules: assert, buffer, child_process, constants, crypto, tls, dgram, dns, http, https, net, punycode, querystring, url, domain, events, fs, path, os, stream, string_decoder, timers, tty, util, sys, vm, zlib
REMEMBER: The more modules you allow, the more fragile your sandbox becomes.
IMPORTANT: Timeout is not effective for NodeVM so it is not immune to while (true) {} or similar evil.
var NodeVM = require('vm2').NodeVM;
var options = {
console: 'inherit',
sandbox: {},
require: true,
requireExternal: true,
requireNative: ['fs', 'path'],
requireRoot : "./"
};
var vm = new NodeVM(options);
var functionInSandbox = vm.run("module.exports = function(who) { console.log('hello '+ who); }");Securely call method in sandbox. All arguments except functions are cloned during the process to prevent context leak. Functions are wrapped to secure closures. Buffers are copied.
IMPORTANT: Method doesn't check for circular objects! If you send a circular structure as an argument, your process will get stuck in infinite loop.
IMPORTANT: Always use vm.call method to call methods or callbacks in sandbox. If you call it directly, you are exposing yourself a risk of main global context leakage!
vm.call(functionInSandbox, 'world');To load modules by relative path, you must pass full path of the script you're running as a second argument of vm's run method. Filename then also shows up in any stack traces produced from the script.
vm.run("require('foobar')", "/data/myvmscript.js");Before you can use vm2 in command line, install it globally with npm install vm2 -g.
$ vm2 ./script.js
Allowing buffer to be required inside NodeVM may crash your app with TypeError: Invalid non-string/buffer chunk errors (reported here and here). To prevent buffer from loading, disable require option or remove buffer from list of whitelisted native modules. Keep in mind that modules like fs or stream do require buffer internally.