6

I'm new to V8 and plan on using it in a python web application. The purpose is to let users submit and execute certain JS scripts. Obviously this is a security threat so I'm looking for resources that document the ways one might 'lock down' v8. For example, can I create a white list of functions allowed to be called? Or a blacklist of libraries not allowed to be referenced?

jsbueno
  • 99,910
  • 10
  • 151
  • 209
Trindaz
  • 17,029
  • 21
  • 82
  • 111
  • BTW why not allow them to submit Python scripts? This would simplify your architecture a bit I think. :-) (Had to mention it). And yes, it's possible to create a safe Python sandbox for those scripts – Kos Mar 19 '12 at 11:15
  • @Kos how? I'm interested as well, but I keep reading everywhere that Python is nearly unsandboxable, with a thousand examples of how to break out – salezica May 17 '12 at 02:29

2 Answers2

1

If you use a plain V8 (i.e. not something like node.js) there won't be any dangerous functions. JavaScript itself doesn't have a stdlib containing filesystem functions etc.

The only thing a malicious user can do is creating infinite loops, deep recursions and memory hogs.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
  • Sorry for the late comment, but I'm interested in this too. How can you prevent the user from exceeding a memory/processing quota? – salezica May 01 '12 at 10:24
  • No idea. Please [post a new question](http://stackoverflow.com/questions/ask) for this. – ThiefMaster May 01 '12 at 11:24
  • I just posted a new question regarding this: http://stackoverflow.com/questions/11637075/how-do-i-prevent-malicious-javascript-in-v8-with-python – Gattster Jul 24 '12 at 18:30
0

Would simply locking down the V8 instance (ie: giving it no permissions in a chroot) and killing the process if it doesn't return after a certain amount of time not work?

JeffS
  • 2,647
  • 2
  • 19
  • 24