From 9643ca6dedaf8184a4e9512a0b3f55e6837901fc Mon Sep 17 00:00:00 2001 From: bcoe <=> Date: Fri, 21 Dec 2012 22:14:54 -0800 Subject: [PATCH 1/4] adding support for passing an API into the sandbox, so that you can optionally have API methods inside the untrusted user code. --- lib/sandbox.js | 2 +- lib/shovel.js | 12 ++++++++++-- package.json | 3 ++- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/lib/sandbox.js b/lib/sandbox.js index 62e7aba..e3e0471 100644 --- a/lib/sandbox.js +++ b/lib/sandbox.js @@ -13,7 +13,7 @@ function Sandbox( options ) { // Any vars in da house? var timer , stdout = '' - , child = spawn( this.options.node, [this.options.shovel] ) + , child = spawn( this.options.node, [this.options.shovel, '--api=' + (this.options.api || '')] ) , output = function( data ) { if ( !!data ) stdout += data diff --git a/lib/shovel.js b/lib/shovel.js index e5c5997..2c3385b 100644 --- a/lib/shovel.js +++ b/lib/shovel.js @@ -2,12 +2,20 @@ /* ------------------------------ INIT ------------------------------ */ var util = require( 'util' ) + , argv = require('optimist').argv , code , result , console , sandbox , Script - , stdin; + , stdin + , apiContext = {} + +// Optionally provide an API that the untrusted code +// will have access to. +if (argv.api.length) { + apiContext = require(process.cwd() + '/' + argv.api.replace('.js', '')); +} if ( ! ( Script = process.binding( 'evals').NodeScript ) ) if ( ! ( Script = process.binding('evals').Script ) ) @@ -53,7 +61,7 @@ function getSafeRunner() { wat = 0 // Run code function run() { - var context = Script.createContext(); + var context = Script.createContext(apiContext); var safeRunner = Script.runInContext('('+getSafeRunner.toString()+')()', context); var result; try { diff --git a/package.json b/package.json index 6ce681f..ea4ab87 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,8 @@ , "directories" : { "lib" : "./lib" } , "engines" : [ "node >=0.5.0" ] , "devDependencies" : - { "should": ">=0.5.1" + { "should": ">=0.5.1", + "optimist": ">=0.3.4" } , "repository" : { "type" : "git" From 71d26b7a20dde6ebda5ffe6c81ae87af7289e54d Mon Sep 17 00:00:00 2001 From: bcoe <=> Date: Fri, 21 Dec 2012 22:17:32 -0800 Subject: [PATCH 2/4] added a "missing" ; --- lib/shovel.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/shovel.js b/lib/shovel.js index 2c3385b..f97de9e 100644 --- a/lib/shovel.js +++ b/lib/shovel.js @@ -9,7 +9,7 @@ var util = require( 'util' ) , sandbox , Script , stdin - , apiContext = {} + , apiContext = {}; // Optionally provide an API that the untrusted code // will have access to. From dbd4a7174d818e544dd577d3c4c7c9af91cb2d7c Mon Sep 17 00:00:00 2001 From: bcoe <=> Date: Fri, 21 Dec 2012 22:41:18 -0800 Subject: [PATCH 3/4] removed dependency on optimist, too troublesome. --- lib/sandbox.js | 3 ++- lib/shovel.js | 5 ++--- package.json | 4 +--- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/lib/sandbox.js b/lib/sandbox.js index e3e0471..0928ae1 100644 --- a/lib/sandbox.js +++ b/lib/sandbox.js @@ -13,7 +13,8 @@ function Sandbox( options ) { // Any vars in da house? var timer , stdout = '' - , child = spawn( this.options.node, [this.options.shovel, '--api=' + (this.options.api || '')] ) + , args = this.options.api ? [this.options.shovel, this.options.api] : [this.options.shovel] + , child = spawn( this.options.node, args ) , output = function( data ) { if ( !!data ) stdout += data diff --git a/lib/shovel.js b/lib/shovel.js index f97de9e..f727351 100644 --- a/lib/shovel.js +++ b/lib/shovel.js @@ -2,7 +2,6 @@ /* ------------------------------ INIT ------------------------------ */ var util = require( 'util' ) - , argv = require('optimist').argv , code , result , console @@ -13,8 +12,8 @@ var util = require( 'util' ) // Optionally provide an API that the untrusted code // will have access to. -if (argv.api.length) { - apiContext = require(process.cwd() + '/' + argv.api.replace('.js', '')); +if (process.argv[2]) { + apiContext = require(process.cwd() + '/' + process.argv[2].replace('.js', '')); } if ( ! ( Script = process.binding( 'evals').NodeScript ) ) diff --git a/package.json b/package.json index ea4ab87..356444f 100644 --- a/package.json +++ b/package.json @@ -11,9 +11,7 @@ , "directories" : { "lib" : "./lib" } , "engines" : [ "node >=0.5.0" ] , "devDependencies" : - { "should": ">=0.5.1", - "optimist": ">=0.3.4" - } + { "should": ">=0.5.1"} , "repository" : { "type" : "git" , "url" : "https://gf3@github.com/gf3/sandbox.git" From 5f64b793a17ccbe447153e1008a9c6f0de18a4ad Mon Sep 17 00:00:00 2001 From: bcoe <=> Date: Fri, 21 Dec 2012 23:19:13 -0800 Subject: [PATCH 4/4] making async behavior work better. --- lib/sandbox.js | 2 +- lib/shovel.js | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/sandbox.js b/lib/sandbox.js index 0928ae1..b1a64d6 100644 --- a/lib/sandbox.js +++ b/lib/sandbox.js @@ -40,7 +40,7 @@ function Sandbox( options ) { // Options Sandbox.options = - { timeout: 500 + { timeout: 1500 , node: 'node' , shovel: path.join( __dirname, 'shovel.js' ) } diff --git a/lib/shovel.js b/lib/shovel.js index f727351..86ab8ad 100644 --- a/lib/shovel.js +++ b/lib/shovel.js @@ -83,10 +83,8 @@ function run() { result = e.name + ': ' + e.message; } - process.stdout.on( 'drain', function() { - process.exit(0) + process.on('exit', function() { + process.stdout.write( JSON.stringify( { result: util.inspect( result ), console: console } ) ); }); - - process.stdout.write( JSON.stringify( { result: util.inspect( result ), console: console } ) ); }