Security News
RubyGems.org Adds New Maintainer Role
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
The vm2 npm package is a sandbox that can run untrusted code with whitelisted built-in modules securely. It provides a secure alternative to the default 'vm' module that comes with Node.js and offers more fine-grained control over what the executed code can do.
Running Untrusted Code Securely
This feature allows you to execute untrusted JavaScript code in a secure sandbox environment, preventing it from accessing the local system or the host process.
const { NodeVM } = require('vm2');
const vm = new NodeVM();
let result = vm.run('return process.platform;');
Isolation of Modules
With vm2, you can control which modules the sandboxed code can require, either by whitelisting specific modules or by allowing/disallowing external modules.
const { NodeVM } = require('vm2');
const vm = new NodeVM({
require: {
external: true
}
});
vm.run('const fs = require("fs");');
Customizable Sandbox
This feature allows you to create a customizable sandbox with specific global properties that the executed code can interact with.
const { VM } = require('vm2');
const sandbox = { x: 20 };
const vm = new VM({ sandbox });
vm.run('x += 3;');
console.log(sandbox.x); // 23
Hooking Console Methods
vm2 allows you to redirect console methods from the sandboxed code to the host environment, enabling you to hook and handle logs, errors, and other console outputs.
const { NodeVM } = require('vm2');
const vm = new NodeVM({
console: 'redirect'
});
vm.on('console.log', (data) => {
console.log('Sandboxed log:', data);
});
vm.run('console.log("Hello from the sandbox!");');
The 'sandboxed-module' package is similar to vm2 in that it allows for the execution of code in a sandboxed environment. However, it focuses more on requiring modules in a sandbox rather than executing arbitrary code. It does not provide as strong isolation as vm2.
The 'secure-vm' package is another alternative that provides a sandbox for executing code. It is similar to vm2 but has a different API and may not offer the same level of customization and security features as vm2.
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Try it yourself:
const vm = require('vm');
vm.runInNewContext('this.constructor.constructor("return process")().exit()');
console.log('Never gets executed.');
const {VM} = require('vm2');
new VM().run('this.constructor.constructor("return process")().exit()');
// Throws ReferenceError: process is not defined
IMPORTANT: VM2 requires Node.js 6 or newer.
npm install vm2
const {VM} = require('vm2');
const vm = new VM();
vm.run(`process.exit()`); // TypeError: process.exit is not a function
const {NodeVM} = require('vm2');
const vm = new NodeVM({
require: {
external: true,
root: './'
}
});
vm.run(`
var request = require('request');
request('http://www.google.com', function (error, response, body) {
console.error(error);
if (!error && response.statusCode == 200) {
console.log(body); // Show the HTML for the Google homepage.
}
});
`, 'vm.js');
VM is a simple sandbox to synchronously run untrusted code without the require
feature. Only JavaScript built-in objects and Node's Buffer
are available. Scheduling functions (setInterval
, setTimeout
and setImmediate
) are not available by default.
Options:
timeout
- Script timeout in milliseconds. WARNING: You might want to use this option together with allowAsync=false
. Further, operating on returned objects from the sandbox can run arbitrary code and circumvent the timeout. One should test if the returned object is a primitive with typeof
and fully discard it (doing logging or creating error messages with such an object might also run arbitrary code again) in the other case.sandbox
- VM's global object.compiler
- javascript
(default) or coffeescript
or custom compiler function. The library expects you to have coffee-script pre-installed if the compiler is set to coffeescript
.eval
- If set to false
any calls to eval
or function constructors (Function
, GeneratorFunction
, etc.) will throw an EvalError
(default: true
).wasm
- If set to false
any attempt to compile a WebAssembly module will throw a WebAssembly.CompileError
(default: true
).allowAsync
- If set to false
any attempt to run code using async
will throw a VMError
(default: true
).IMPORTANT: Timeout is only effective on synchronous code that you run through run
. Timeout does NOT work on any method returned by VM. There are some situations when timeout doesn't work - see #244.
const {VM} = require('vm2');
const vm = new VM({
timeout: 1000,
allowAsync: false,
sandbox: {}
});
vm.run('process.exit()'); // throws ReferenceError: process is not defined
You can also retrieve values from VM.
let number = vm.run('1337'); // returns 1337
TIP: See tests for more usage examples.
Unlike VM
, NodeVM
allows you to require modules in the same way that you would in the regular Node's context.
Options:
console
- inherit
to enable console, redirect
to redirect to events, off
to disable console (default: inherit
).sandbox
- VM's global object.compiler
- javascript
(default) or coffeescript
or custom compiler function (which receives the code, and it's file path). The library expects you to have coffee-script pre-installed if the compiler is set to coffeescript
.eval
- If set to false
any calls to eval
or function constructors (Function
, GeneratorFunction
, etc.) will throw an EvalError
(default: true
).wasm
- If set to false
any attempt to compile a WebAssembly module will throw a WebAssembly.CompileError
(default: true
).sourceExtensions
- Array of file extensions to treat as source code (default: ['js']
).require
- true
or object to enable require
method (default: false
).require.external
- Values can be true
, an array of allowed external modules, or an object (default: false
). All paths matching /node_modules/${any_allowed_external_module}/(?!/node_modules/)
are allowed to be required.require.external.modules
- Array of allowed external modules. Also supports wildcards, so specifying ['@scope/*-ver-??]
, for instance, will allow using all modules having a name of the form @scope/something-ver-aa
, @scope/other-ver-11
, etc. The *
wildcard does not match path separators.require.external.transitive
- Boolean which indicates if transitive dependencies of external modules are allowed (default: false
). WARNING: When a module is required transitively, any module is then able to require it normally, even if this was not possible before it was loaded.require.builtin
- Array of allowed built-in modules, accepts ["*"] for all (default: none). WARNING: "*" can be dangerous as new built-ins can be added.require.root
- Restricted path(s) where local modules can be required (default: every path).require.mock
- Collection of mock modules (both external or built-in).require.context
- host
(default) to require modules in the host and proxy them into the sandbox. sandbox
to load, compile, and require modules in the sandbox. Except for events
, built-in modules are always required in the host and proxied into the sandbox.require.import
- An array of modules to be loaded into NodeVM on start.require.resolve
- An additional lookup function in case a module wasn't found in one of the traditional node lookup paths.nesting
- WARNING: Allowing this is a security risk as scripts can create a NodeVM which can require any host module. true
to enable VMs nesting (default: false
).wrapper
- commonjs
(default) to wrap script into CommonJS wrapper, none
to retrieve value returned by the script.argv
- Array to be passed to process.argv
.env
- Object to be passed to process.env
.strict
- true
to loaded modules in strict mode (default: false
).IMPORTANT: Timeout is not effective for NodeVM so it is not immune to while (true) {}
or similar evil.
REMEMBER: The more modules you allow, the more fragile your sandbox becomes.
const {NodeVM} = require('vm2');
const vm = new NodeVM({
console: 'inherit',
sandbox: {},
require: {
external: true,
builtin: ['fs', 'path'],
root: './',
mock: {
fs: {
readFileSync: () => 'Nice try!'
}
}
}
});
// Sync
let functionInSandbox = vm.run('module.exports = function(who) { console.log("hello "+ who); }');
functionInSandbox('world');
// Async
let functionWithCallbackInSandbox = vm.run('module.exports = function(who, callback) { callback("hello "+ who); }');
functionWithCallbackInSandbox('world', (greeting) => {
console.log(greeting);
});
When wrapper
is set to none
, NodeVM
behaves more like VM
for synchronous code.
assert.ok(vm.run('return true') === true);
TIP: See tests for more usage examples.
To load modules by relative path, you must pass the full path of the script you're running as a second argument to vm's run
method if the script is a string. The filename is then displayed in any stack traces generated by the script.
vm.run('require("foobar")', '/data/myvmscript.js');
If the script you are running is a VMScript, the path is given in the VMScript constructor.
const script = new VMScript('require("foobar")', {filename: '/data/myvmscript.js'});
vm.run(script);
You can increase performance by using precompiled scripts. The precompiled VMScript can be run multiple times. It is important to note that the code is not bound to any VM (context); rather, it is bound before each run, just for that run.
const {VM, VMScript} = require('vm2');
const vm = new VM();
const script = new VMScript('Math.random()');
console.log(vm.run(script));
console.log(vm.run(script));
It works for both VM
and NodeVM
.
const {NodeVM, VMScript} = require('vm2');
const vm = new NodeVM();
const script = new VMScript('module.exports = Math.random()');
console.log(vm.run(script));
console.log(vm.run(script));
Code is compiled automatically the first time it runs. One can compile the code anytime with script.compile()
. Once the code is compiled, the method has no effect.
Errors in code compilation and synchronous code execution can be handled by try-catch
. Errors in asynchronous code execution can be handled by attaching uncaughtException
event handler to Node's process
.
try {
var script = new VMScript('Math.random()').compile();
} catch (err) {
console.error('Failed to compile script.', err);
}
try {
vm.run(script);
} catch (err) {
console.error('Failed to execute script.', err);
}
process.on('uncaughtException', (err) => {
console.error('Asynchronous error caught.', err);
});
You can debug or inspect code running in the sandbox as if it was running in a normal process.
debugger
keyword./tmp/main.js:
const {VM, VMScript} = require('.');
const fs = require('fs');
const file = `${__dirname}/sandbox.js`;
// By providing a file name as second argument you enable breakpoints
const script = new VMScript(fs.readFileSync(file), file);
new VM().run(script);
/tmp/sandbox.js
const foo = 'ahoj';
// The debugger keyword works just fine everywhere.
// Even without specifying a file name to the VMScript object.
debugger;
To prevent sandboxed scripts from adding, changing, or deleting properties from the proxied objects, you can use freeze
methods to make the object read-only. This is only effective inside VM. Frozen objects are affected deeply. Primitive types cannot be frozen.
Example without using freeze
:
const util = {
add: (a, b) => a + b
}
const vm = new VM({
sandbox: {util}
});
vm.run('util.add = (a, b) => a - b');
console.log(util.add(1, 1)); // returns 0
Example with using freeze
:
const vm = new VM(); // Objects specified in the sandbox cannot be frozen.
vm.freeze(util, 'util'); // Second argument adds object to global.
vm.run('util.add = (a, b) => a - b'); // Fails silently when not in strict mode.
console.log(util.add(1, 1)); // returns 2
IMPORTANT: It is not possible to freeze objects that have already been proxied to the VM.
Unlike freeze
, this method allows sandboxed scripts to add, change, or delete properties on objects, with one exception - it is not possible to attach functions. Sandboxed scripts are therefore not able to modify methods like toJSON
, toString
or inspect
.
IMPORTANT: It is not possible to protect objects that have already been proxied to the VM.
const assert = require('assert');
const {VM} = require('vm2');
const sandbox = {
object: new Object(),
func: new Function(),
buffer: new Buffer([0x01, 0x05])
}
const vm = new VM({sandbox});
assert.ok(vm.run(`object`) === sandbox.object);
assert.ok(vm.run(`object instanceof Object`));
assert.ok(vm.run(`object`) instanceof Object);
assert.ok(vm.run(`object.__proto__ === Object.prototype`));
assert.ok(vm.run(`object`).__proto__ === Object.prototype);
assert.ok(vm.run(`func`) === sandbox.func);
assert.ok(vm.run(`func instanceof Function`));
assert.ok(vm.run(`func`) instanceof Function);
assert.ok(vm.run(`func.__proto__ === Function.prototype`));
assert.ok(vm.run(`func`).__proto__ === Function.prototype);
assert.ok(vm.run(`new func() instanceof func`));
assert.ok(vm.run(`new func()`) instanceof sandbox.func);
assert.ok(vm.run(`new func().__proto__ === func.prototype`));
assert.ok(vm.run(`new func()`).__proto__ === sandbox.func.prototype);
assert.ok(vm.run(`buffer`) === sandbox.buffer);
assert.ok(vm.run(`buffer instanceof Buffer`));
assert.ok(vm.run(`buffer`) instanceof Buffer);
assert.ok(vm.run(`buffer.__proto__ === Buffer.prototype`));
assert.ok(vm.run(`buffer`).__proto__ === Buffer.prototype);
assert.ok(vm.run(`buffer.slice(0, 1) instanceof Buffer`));
assert.ok(vm.run(`buffer.slice(0, 1)`) instanceof Buffer);
Before you can use vm2 in the command line, install it globally with npm install vm2 -g
.
vm2 ./script.js
CHANGELOG.md
package.json
version numbernpm publish
FAQs
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
The npm package vm2 receives a total of 883,668 weekly downloads. As such, vm2 popularity was classified as popular.
We found that vm2 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.
Security News
Research
Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.