Years ago, when I was an active participant in the #linux channel of the local IRC network, we had a bot that could evaluate arbitrary shell commands, really handy to test one-liners. I don't know exactly how it was implemented, but one of the operators told me it was running on a custom Linux build inside QEMU running inside another QEMU instance because occasionally, despite the commands running as nobody and with various ulimits set, people would find a way to crash something or escape one sandbox... but never all of them.

Running user-provided JavaScript safely is hard. Browser vendors pour a lot of money in it, and JavaScript is still one of the leading exploitation vectors, the first step from navigating to a maliciously crafted web page to arbitrary code execution. Duktape has the benefit of not having to run JavaScript really fast and so sidesteps a whole class of JIT-related vulnerabilities (not needing to allocate writeable memory and turn it executable later helps a lot), but it does have its share of issues labelled "security". Lua is a much simpler language than JavaScript, with a whole chapter on sandboxing in PIL, and yet another double-free has been found in it just a few days ago, which might potentially lead to type confusion and sandbox escape. SQLite is probably some of the finest C code there can be, and yet they still fix crashing bugs, mostly from corrupted database files, but occasionally from SQL input too. Ethereum itself has an occasional vulnerability in its virtual machine too. For Perl, there's Safe, but with the warning at the end of the documentation page, I wouldn't want to use it alone to run arbitrary code over the Internet, either.

Admittedly, not all crashing bugs can be exploited, and not all issues labelled "security" will be exploited in the wild, and yet it feels like a fundamental problem: once we get a computer to run some code, it becomes hard to prevent it from running some other code that we don't want it to run but attackers do. I don't have a good solution, but I wish you good luck, and to proceed carefully!

In reply to Re: Running user-provided JavaScript code by aitap
in thread Running user-provided JavaScript code by cavac

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.