1

I'm looking at Clearscript for running my javascript code in my c# program.

I intend to use its V8 implementation, as implementing my own build of V8 is not possible right now (MSVC build is broken, hope they'll fix it soon).

The question is: can I run untrusted javascript code through clearscript, without exposing anything that could put the executing machine to risk?

I need to expose to the running javascript only very specific functions written by me as the code comes from untrusted sources, and could contain malevolent code.

H. Pauwelyn
  • 13,575
  • 26
  • 81
  • 144
Bad_At_Life
  • 23
  • 3

1 Answers1

1

The documentation at https://github.com/microsoft/ClearScript looks like scripts only have access to objects/functions you expose to them, so it seems that the answer to your question would be "yes". If reading that documentation doesn't give you this impression, then you should ask the ClearScript folks for clarification.

jmrk
  • 34,271
  • 7
  • 59
  • 74
  • I read that, but I was not sure that javascript could not access stuff I didn't expose. Thank you – Bad_At_Life Dec 26 '19 at 13:02
  • It can’t access things you don’t expose, but a malicious script can still run your process out of memory or exploit a bug to crash it. V8 doesn’t run script code in a sandbox, so the only way to fully isolate it is to run it in a dedicated process. – BitCortex Dec 26 '19 at 14:37
  • @BitCortex - could you point me at any documentation or gist that would expand on 'the only way to fully isolate it is to run it in a dedicated process' please ? I looked at the faqtorial but it seems not to mention the approach. – Vanquished Wombat Dec 08 '20 at 11:44
  • 1
    Excellent and thanks for the quick response. I'm guessing that's a standard run-as-a-process pattern and you've been kind enough to type it out as a ClearScript example so thanks also for not suggesting I rtfm. It is quite important to know that the security context that the JS runs in can be managed this way to ensure security. – Vanquished Wombat Dec 08 '20 at 20:13