4

I'm trying to execute a piece of code within an empty isolated execution context in JavaScript. In the below sample, I'm trying isolate isolated execution scope. What I want to do is to execute a function in context where no global variables are in.

(function() {
  'use strict';

  var scope = Object.create(null);
  var isolated = function() {
    'use strict';
    console.log(document); // Trying to get undefined
                           // but traces `document`.
  };

  isolated.call(scope);
})();

I thought it was simple to nullify global variables but there are too many!

var isolated = function(window, document, location /* etc */) {
  // ...
};

isolated.call(scope, undefined, undefined, undefined /* etc */);

Is there a better way to do this?

Improve this question
2

3 Answers 3

Reset to default
4

There is no good way to do this within javascript itself (but see Gareth Hayes answer for another option).

There are a couple of bad ways.

(function() {
  var scope = Object.create(null);
  var obscurer = {};
  for (var key in this) {
     obscurer[key] = undefined;
  }

  with (obscurer) {
    var isolated = function() {
      'use strict';
      console.log(document);
    };
  }

  isolated.call(scope);
})();

Note that you'll actually get an error because console is not defined rather than document, although you can fix this by not blocking 'console' in the obscurer object. You'll probably find that you need a whole bunch more globals than you realised.

You're also only blocking the enumerable properties of window. If you become aware of nonenumerable properties that you want to block too, you'll have to add those to obscurer.

Of course, using with means you can't use strict mode any more as well, and everyone will look down their noses at you..

There are more interesting options available if you are working within node rather than the browser.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Window.prototype.alert.call(window,1) bypasses this sandbox.
I get "TypeError: window is undefined", but yes, I wouldn't really consider this method to be safe. As far as I know, you can't make a safe sandbox without parsing the input code. And even then, there are plenty of mistakes that could be made (e.g. people often forget that the Function constructor lets them eval code).
It's a Firefox specific vector.
I ran it in the console on firefox nightly, so I don't know if it's the version of firefox or the console that made it work for me. I suppose it highlights the point that if you're really looking for safety there are a lot of edge cases to think about. It'd be interesting to know exactly why Florent wants to do this...
It works on Chrome as well actually 32.0.1700.72 m. But yeah this is my point you miss one thing and it's a full bypass whereas if you use a parser and whitelist it's much stronger against attack.
|
2

Use my MentalJS parser to isolate the environment. You can then choose which objects/variables it has access to by customizing the code.

http://businessinfo.co.uk/labs/MentalJS/MentalJS.html

http://code.google.com/p/mentaljs/

By default it allows access to document but you can prevent this, customize the environment here http://code.google.com/p/mentaljs/source/browse/trunk/MentalJS/javascript/Mental.js#260 you can then choose if they have access to Math etc.

Improve this answer

Comments

1

It can be done without ECMA6 by using an IIFE that contains your trusted-needs-protection code, into which you inject your untrusted-needs-isolation-code (see example).

(function(injectedFunction) {
    /* Trusted code, that needs protection from untrusted code access */
    var hostingFuncPrivatePrimitive = "Hello there";
    var hostingFuncPrivateObject = {
        this_is_mine: true
    };

    var sharedPrimitive = 'This is shared';
    var sharedObject = {};

    // Running the untrusted code:
    injectedFunction(sharedPrimitive, sharedObject);

    console.log("sharedObject is: " + JSON.stringify(sharedObject));
    console.log("hostingFuncPrivateObject is: " +
        JSON.stringify(hostingFuncPrivateObject));
})(

(function(primitiveArg, objArg) {
    /* Untrusted code that needs isolation */

    // 1. using primitive (legal)
    console.log('primitiveArg is: ' + primitiveArg);

    // 2. Writing value to given objArg (legal):
    objArg.mumu = 'mimi';

    // 3. Trying to access host function variables (illegal)
    try {
        console.log('hostingFuncPrivatePrimitive is:' +
            hostingFuncPrivatePrimitive);
        hostingFuncPrivateObject.this_is_mine = false;
    } catch (e) {
        console.log(e);
    }
})

);

If you place the above in Chrome's console, you will get:

    primitiveArg is: This is shared
    VM117:29 ReferenceError: hostingFuncPrivatePrimitive is not defined
            at <anonymous>:26:17
            at <anonymous>:11:5
            at <anonymous>:16:3
    VM117:12 sharedObject is: {"mumu":"mimi"}
    VM117:13 hostingFuncPrivateObject is: {"this_is_mine":true}

P.S.: I know I'm late to the party, but maybe this helps anybody.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.