6

I am confused about the use cases of the VM module in NodeJS.

After reading a little bit in the documentations about this module is just looks like a fancy way to do eval.

Anyone used it and lived to tell the tail about it use cases?

Hyyan Abo Fakher
  • 3,497
  • 3
  • 21
  • 35
Amit Wagner
  • 3,134
  • 3
  • 19
  • 35
  • 1
    Easiest use case: suppose you have a website where the user enters the code and you need to compile that code then you can utilize the API of Node VM. – Arpit Kumar Sep 10 '18 at 10:44
  • It might be useful for unit tests or anything else where you want to have a clean/sandboxes environment. – t.niese Sep 10 '18 at 10:52

1 Answers1

-1

The main purpose of this module is running JS in sanboxed context environment. For example when you need to execute the unverified JS code without the risk of affecting your node program execution. Moreover, you can specify execution timeout and context-specific error handling.

Example: interpreting the JS snippet created by user (interactive tutorials, etc).

Alex
  • 4,621
  • 1
  • 20
  • 30
  • 5
    But still the docs say "The vm module is not a security mechanism. Do not use it to run untrusted code." – Християн Христов Sep 10 '18 at 10:46
  • 2
    The docs also say "A common use case is to run the code in a sandboxed environment", which is exactly what the answer states. It doesn't state that it's a security mechanism. – robertklep Sep 10 '18 at 10:51
  • 1
    @robertklep the answer says `[...]execute the unverified JS code without the risk of affecting your node program execution.[...]` and that can be misunderstood to be a security feature. I wouldn't use it to run unverified code, especially not from a user of a untrusted source. – t.niese Sep 10 '18 at 10:54
  • 1
    @t.niese that's literally what a sandbox does :) I guess some people associate that with "security", but I don't feel that's being implied here. – robertklep Sep 10 '18 at 11:01
  • @robertklep `some people associate that with "security"` and the fact that the first search result would lead to Wikipedia, which states that sandboxing is a security mechanism `[...]to execute untested or untrusted programs or code [...] without risking harm to the host machine or operating system[...]` is a problem, so an answer has to be clear about that. The vm sand-boxing is not to protect from malicious code, it is more to ensure to have a clear context for trusted code. – t.niese Sep 10 '18 at 11:17
  • 1
    @ХристиянХристов, that's true. It's not about the security. It's about the isolated execution. Executed script doesn't have an access to your current scope and that's basically it. Technically, the malicious code *can* be executed. – Alex Sep 10 '18 at 11:32
  • @t.niese since we're talking about software development, though: https://en.wikipedia.org/wiki/Sandbox_(software_development) – robertklep Sep 10 '18 at 11:34
  • As explained by https://odino.org/eval-no-more-understanding-vm-vm2-nodejs/ you should not use VM to run unverified code. In particular, running `this.constructor.constructor('return process')().exit()` in a VM context can alter node program execution. – Jacob Horbulyk Nov 26 '19 at 10:48