How to "Lock down" V8?

About

Asked 19/3, 2012 at 10:57 Answered 20/3, 2012 at 23:49

I'm new to V8 and plan on using it in a python web application. The purpose is to let users submit and execute certain JS scripts. Obviously this is a security threat so I'm looking for resources that document the ways one might 'lock down' v8. For example, can I create a white list of functions allowed to be called? Or a blacklist of libraries not allowed to be referenced?

Nicosia answered 19/3, 2012 at 10:57 Comment(2)

BTW why not allow them to submit Python scripts? This would simplify your architecture a bit I think. :-) (Had to mention it). And yes, it's possible to create a safe Python sandbox for those scripts – Capella 19/3, 2012 at 11:15

@Capella how? I'm interested as well, but I keep reading everywhere that Python is nearly unsandboxable, with a thousand examples of how to break out – Markland 17/5, 2012 at 2:29

If you use a plain V8 (i.e. not something like node.js) there won't be any dangerous functions. JavaScript itself doesn't have a stdlib containing filesystem functions etc.

The only thing a malicious user can do is creating infinite loops, deep recursions and memory hogs.

Gelignite answered 20/3, 2012 at 23:49 Comment(3)

Sorry for the late comment, but I'm interested in this too. How can you prevent the user from exceeding a memory/processing quota? – Markland 1/5, 2012 at 10:24

No idea. Please post a new question for this. – Gelignite 1/5, 2012 at 11:24

I just posted a new question regarding this: #11637575 – Amir 24/7, 2012 at 18:30

Would simply locking down the V8 instance (ie: giving it no permissions in a chroot) and killing the process if it doesn't return after a certain amount of time not work?

Isomagnetic answered 20/3, 2012 at 23:28 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags