-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add note that vm module is not a security mechanism #11557
Conversation
I think it would be really helpful to explain why this is hard to get right. (Afaict, it is not strictly impossible to use a VM context for actual sandboxing, just something that can go wrong easily. But then again I haven’t tried to actually do that for real.) |
doc/api/vm.md
Outdated
@@ -14,6 +14,8 @@ const vm = require('vm'); | |||
JavaScript code can be compiled and run immediately or compiled, saved, and run | |||
later. | |||
|
|||
*Note*: The vm module makes a wrong impression as a security mechanism. In fact, it is not at all, you shouldn't use it to run untrusted scripts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please line wrap at 80 chars.
Also, please avoid the use of informal pronouns like you
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about something more like this?:
The `vm` module is not a security mechanism. Do not use it to run untrusted scripts.
@jasnell thank you for the review, required changes were made. @Trott completely agree. In you case sentence looks more like tech doc. @addaleax I think it is good idea to add info about why it is not security mechanism. Since it can take more space I think it should be somewhere at the bottom of the page. Maybe with link from top of the page. Also I'm not really sure how to explain why it is not security mechanism, since sandboxes (contexts) really makes impression of safety and secure. Please share you thoughts. |
Note that the issue is a bit deeper here, e.g. https://www.npmjs.com/package/vm2 is built on top of the Perhaps it's worth to mention that anything that is built on |
I'm pretty sure that it's impossible to use vm module alone (without kvm or at least a separate process) for sandboxing without parsing and verifying the code in question. Btw, see #3020 — that perhaps needs a fix on the documentation side. |
doc/api/vm.md
Outdated
@@ -14,6 +14,9 @@ const vm = require('vm'); | |||
JavaScript code can be compiled and run immediately or compiled, saved, and run | |||
later. | |||
|
|||
*Note*: The vm module is not a security mechanism. | |||
Do not use it to run untrusted scripts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/scripts/code/
@seishun sounds much better. Thank you. I pushed new changes. |
Well, browsers do just that, so it should be possible |
No, it's not — the usecases are very different here. In the browser, you trigger a website open yourself, and if that crashes a tab or several ones (which is quite possible, btw.) — it's not a big deal actually. On a server — anyone could send you a malicious payload (without any additional action required) if you accept untrusted code and run it in Also (with lower significance, but this one of reasons why I would recommend not just a separate process, but a decent isolation): in the browser, the API surface that could be used by all the sites is pretty much limited, in Node.js — the main process has unrestricted access to the network/filesystem/etc. from the js code, so vm sandboxing becomes the only isolation layer between the untrusted code and a full system compromise. You shouldn't trust a single isolation layer when you can have two. Also note that there are additional ways to shoot yourself in the foot here, like passing |
You won't be happy if an iframe chrashes the whole tab, so it's very similar
In that case you probably shouldn't trust two if you can have three. On the other hand, why use two if one does the job? |
That's quite possible today (try |
doc/api/vm.md
Outdated
@@ -14,6 +14,9 @@ const vm = require('vm'); | |||
JavaScript code can be compiled and run immediately or compiled, saved, and run | |||
later. | |||
|
|||
*Note*: The vm module is not a security mechanism. | |||
Do not use it to run untrusted code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe bold this last line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Fishrock123 Sounds great. I will update pull request pretty soon. Thank you!
Chrome goes to considerable lengths to run iframes in separate sandboxed processes. I'd say that underlines @ChALkeR's point of defense in depth. It's possible to isolate contexts by giving them their own security token (something node doesn't currently do; in fact, it does the opposite) but that only protects you against prototype traversal, it's no good against a CPU or memory consumption denial-of-service. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM but s/machanism/mechanism/ in the commit log.
the text added in this commit should warn users about wrong idea that vm module can be secure to run unsafe scripts in sandboxes
bd274f7
to
f86040c
Compare
I changed the typo in mechanism word of my first commit message and force pushed everything again. I hope it is ok, please correct me if I did something wrong. |
the text added in this commit should warn users about wrong idea that vm module can be secure to run unsafe scripts in sandboxes PR-URL: #11557 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Landed in 2e74b0d. Thank you @krydos! I squashed the commits on landing. |
the text added in this commit should warn users about wrong idea that vm module can be secure to run unsafe scripts in sandboxes PR-URL: nodejs#11557 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
the text added in this commit should warn users about wrong idea that vm module can be secure to run unsafe scripts in sandboxes PR-URL: nodejs#11557 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
the text added in this commit should warn users about wrong idea that vm module can be secure to run unsafe scripts in sandboxes PR-URL: #11557 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
the text added in this commit should warn users about wrong idea that vm module can be secure to run unsafe scripts in sandboxes PR-URL: #11557 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
the text added in this commit should warn users about wrong idea that vm module can be secure to run unsafe scripts in sandboxes PR-URL: nodejs/node#11557 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
the text added in this commit should warn users about
wrong idea that vm module can be secure to run unsafe scripts
in sandboxes
Checklist
Affected core subsystem(s)
doc, vm
Hi,
As it mentioned in issue #11550 the VM module can be mistakenly used as a security mechanism and it should be great to have a note that VM module it is not about security.