Deno: [feature] vm module

Created on 8 Jan 2020 · 7Comments · Source: denoland/deno

Deno provides a lot of useful objects in the runtime. It is also great to see a project that is solving many of the security problems of running JavaScript.

I'd like to lock things down even further so that I can use Deno for hermetic config generation.

Are there plans to offer something like the vm module available in node or some other way to provide a smaller environment (i.e. no Deno.pid etc etc)?

Source

brandonkal

👍2

All 7 comments

Worth noting we currently support Web Worker with noDenoNamespace option, which completely hides window.Deno and all privileged calls hosted under it.

We also have plans to introduce permission setting inheritance to Workers, so you might have more granular control of what can/cannot be done in the Worker.

IMO a Worker based (Isolate / V8 VM) based isolation should be much stronger than vm of Node, which, if I remember correctly, is Context based.

kevinkassimo on 8 Jan 2020

👍1

Agreed that a worker-based isolation is much better than just context alone. I'm glad to see there is an option to hide the Deno namespace there.

brandonkal on 8 Jan 2020

👍1

Hi @kevinkassimo,

Can i achieve something like below code?

var vm = require('vm');
var myObj = { name: 'John', age: 38 };
vm.createContext(myObj);

vm.runInContext('age += 1;', myObj);

console.log(myObj);

Basically i want to capture code from end user and evaluate it inside a context. If so, can you please share sample code, it will be very helpful. Thanks.

shivajivarma on 14 Jul 2020

The VM abstraction doesn't exist yet. The Worker would need to support Blob URLs so we can codegen module code. And workers would need to support limited permissions to run user code.

brandonkal on 14 Jul 2020

Effectively a duplicate of #5683 and #4867