1

I am trying to look at a possibility of having users add their own code within a Node app running an express server.

Scenario -

User clicks on save of a form and wants to do self business validations for example. This can be used as middleware or just some function that can be run before saving. But the challenge is the code is already built and the node is in a running state. How can I use the code added by the user and validate it against some data?

I can definitely use eval or new Function or vm2 (while will isolate things - this I exactly need). But eval and function I definitely don't want to use. VM2 is definitely a choice but on a grand scale of things, it will be poor in performance and would take time to execute.

Have someone used or worked on something similar? I can definitely use Serverless functions but that would become costly if there are multiple applications. Please help me understand how can this work out?

Thanks.

Michael Rovinsky
  • 6,807
  • 7
  • 15
  • 30
Deepankar
  • 138
  • 1
  • 14
  • What have you tried so far? Without any code we can't really provide any help since SO isn't intended for open ended advice. – Soviut Apr 30 '21 at 06:56
  • I have tried vm2. Which works great but is slow when you would run it 50 times at once. The whole process needs to look seamless. VM2 has performance issues. I tried to load a file using fs but again I need to eval it to actually run it (which I dont want to). – Deepankar Apr 30 '21 at 06:58

1 Answers1

0

I don't understand why not eval. Other than that you can write the code to a new file and run a new node process on this file. If you need further isolation you can build a nodejs docker with said file, run that docker so it's isolated from your actual host.

in need of help
  • 1,606
  • 14
  • 27
  • Eval and new function isn't secure. I need to make sure the user doesn't have access to any local node modules. Only plain javascript nothing more. User can access node process, fs and can even get hold of the whole source code. – Deepankar Apr 30 '21 at 06:56
  • Then take my idea of writing file to disk. Build a nodejs docker with said file, run that docker so it's isolated from your actual host – in need of help Apr 30 '21 at 07:02
  • 1
    That surely is a good idea. I m gonna try it. Apart from this are there any other options ? – Deepankar Apr 30 '21 at 07:10