Security News
NIST Misses 2024 Deadline to Clear NVD Backlog
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
pitboss-ng
Advanced tools
Run untrusted code in a seperate process using VM module. With timeout and memory limit management
var Pitboss = require('pitboss-ng').Pitboss;
var untrustedCode = "var a = !true; a";
var sandbox = new Pitboss(untrustedCode, {
memoryLimit: 32*1024, // 32 MB memory limit (default is 64 MB)
timeout: 5*1000, // 5000 ms to perform tasks or die (default is 500 ms = 0.5 s)
heartBeatTick: 100 // interval between memory-limit checks (default is 100 ms)
});
sandbox.run({
context: {
'foo': 'bar',
'key': 'value' // context must be JSON.stringify positive
},
libraries: {
myModule: path.join(__dirname, './my/own/module')
// will be available as global "myModule" variable for the untrusted code
}
}, function callback (err, result) {
sandbox.kill(); // don't forget to kill the sandbox, if you don't need it anymore
});
// OR other option: libraries can be an array of system modules
sandbox.run({
context: {},
libraries: ['console', 'lodash'] // we will be using global "lodash" & "console"
}, function callback (err, result) {
// finished, kill the sandboxed process
sandbox.kill();
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "num = num % 5;\nnum;"
var sandbox = new Pitboss(code);
sandbox.run({context: {'num': 23}}, function (err, result) {
assert.equal(3, result);
sandbox.kill(); // sandbox is not needed anymore, so kill the sandboxed process
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "num = num % 5;\n console.log('from sandbox: ' + num);\n num;"
var sandbox = new Pitboss(code);
sandbox.run({context: {'num': 23}, libraries: ['console']}, function (err, result) {
// will print "from sandbox: 5"
assert.equal(3, result);
sandbox.kill(); // sandbox is not needed anymore, so end it
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "while(true) { num % 3 };";
var sandbox = new Pitboss(code, {timeout: 2000});
sandbox.run({context: {'num': 23}}, function (err, result) {
assert.equal("Timedout", err);
sandbox.kill();
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "Not a JavaScript at all!";
var sandbox = new Pitboss(code, {timeout: 2000});
sandbox.run({context: {num: 23}}, function (err, result) {
assert.include(err, "VM Syntax Error");
assert.include(err, "Unexpected identifier");
sandbox.kill();
});
var assert = require('chai').assert;
var Pitboss = require('pitboss-ng').Pitboss;
var code = "var str = ''; while (true) { str = str + 'Memory is a finite resource!'; }";
var sandbox = new Pitboss(code, {timeout: 10000});
sandbox.run({context: {num: 23}}, function (err, result) {
assert.equal("Process failed", err);
sandbox.kill();
});
And since Pitboss-NG forks each process, ulimit kills only the runner
0.3.1
options.heartBeatTick
FAQs
Run untrusted code in a seperate process using VM2 module. With timeout and memory limit management
The npm package pitboss-ng receives a total of 246 weekly downloads. As such, pitboss-ng popularity was classified as not popular.
We found that pitboss-ng demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.