Loading ...
Sorry, an error occurred while loading the content.

SV: SV: [jslint] Re: ANN: JSLint Reporter (Node.js wrapper)

Expand Messages
  • Jakob Kruse
    Frederik, I think you understood me correctly. I didn t claim LintServer to be secure because it is not - yet. What I m doing already is evaluating
    Message 1 of 2 , Feb 3, 2011
    • 0 Attachment
      Frederik,

      I think you understood me correctly. I didn't claim LintServer to be secure because it is not - yet.

      What I'm doing already is evaluating fulljslint.js in a secure context. Any attempt to access local resources *on evaluation* of the script would fail. BUT! What I'm not doing yet is running the JSLINT function in a secure context. Actually my current solution pulls JSLINT out of the secure context and runs it in the default (insecure) context. So any attempt to access local resources during the linting process itself would succeed.

      This is why I didn't already announce LintServer on this list (but now that it's out there I'd better explain the problem).

      The last step is not terribly difficult, I just haven't had the time. It would involve putting the string to lint into the sandbox that contains the JSLINT function and then using runInNewContext to do the actual linting inside the sandbox:

      sandbox.source = 'the code to lint';
      sandbox.options = { ... };
      vm.runInNewContext('JSLINT(source, options);', sandbox);

      You should find that using sandboxing gives you total control over the environment you run your (or someone else's) code in. Looking forward to seeing you beat me to it ;-)

      /Jakob

      Full disclosure: I'm a complete Node.js newbie myself. LintServer is the first piece of Node code I've ever written. As such there is probably a better way than mine to do the things I do.


      -----Oprindelig meddelelse-----
      Fra: jslint_com@yahoogroups.com [mailto:jslint_com@yahoogroups.com] På vegne af Frederik Dohr
      Sendt: 3. februar 2011 08:43
      Til: jslint_com@yahoogroups.com
      Emne: Re: SV: [jslint] Re: ANN: JSLint Reporter (Node.js wrapper)

      > Node.js has a built-in feature for running scripts “sandboxed” [...]
      > The Node.js feature I mentioned is in the VM module. [...] If you use
      > those features (and use them correctly, which is not trivial), it
      > becomes completely safe to download and run any script

      I agree that this would be the ideal solution - and looking at your
      LintServer*, it appears you've already solved this issue (I must have
      misunderstood you before):
      vm.runInNewContext(fs.readFileSync('./fulljslint.js', 'utf8'),
      sandbox, 'fulljslint.js');

      This appears to work just fine:
      https://gist.github.com/809174
      (untrusted.js throws exceptions since it doesn't have access to require)

      It should be rather straightforward to add this to JSLint Reporter then.


      -- F.


      * https://github.com/jkruse/LintServer/blob/master/lintserver.js
    • Frederik Dohr
      ... Indeed, I hadn t quite thought that through - thanks for being thorough! ... This was relatively straightforward (I think... ):
      Message 2 of 2 , Feb 3, 2011
      • 0 Attachment
        > What I'm doing already is evaluating fulljslint.js in a secure
        > context. Any attempt to access local resources *on evaluation* of the
        > script would fail. BUT! What I'm not doing yet is running the JSLINT
        > function in a secure context.

        Indeed, I hadn't quite thought that through - thanks for being thorough!

        > The last step is not terribly difficult, I just haven't had the time.
        > It would involve putting the string to lint into the sandbox that
        > contains the JSLINT function and then using runInNewContext to do the
        > actual linting inside the sandbox

        This was relatively straightforward (I think... ):
        https://github.com/FND/jslint-reporter/commit/9972fdcdeb402ec859345b7801ac08dd8dffd83f

        I'd certainly appreciate a review though.

        > Full disclosure: I'm a complete Node.js newbie myself. LintServer is
        > the first piece of Node code I've ever written. As such there is
        > probably a better way than mine to do the things I do.

        Ditto - I'll see whether I can run this by some Node.js experts.


        -- F.
      Your message has been successfully submitted and would be delivered to recipients shortly.