this === window ?

Question

this === window ?

Closed this issue 8 years ago · 9 comments

Not sure if there is a problem or not, but this seems to resolve to window, so i guess i can access global stuff through that. Not sure if this is something that is ok or not or whether a .call(null or .apply(null would help...

the blog article https://blog.risingstack.com/writing-a-javascript-framework-sandboxed-code-evaluation/ has some typos too, so copy/pasting the code to the devtools doesnt always work.

Another thing i was thinking about is, that maybe someone could "pass in" an object that contains a has or get method which is "destructured" by the with (...) { ... } statement and maybe can cause problems too?

Answer 1 · 2016-08-17T02:36:58.000Z

Hi!

Thanks for all these observations, gonna check them all tomorrow.

Answer 2 · 2016-08-17T09:54:16.000Z

Hi!

This really resolved to the global object (window), because the functions were in global space. Fixed it with your suggestion: code.call(sandboxProxy, sandboxProxy). Now this inside sandboxed code points to the sandbox. Do you think it would make more sense to set it to null?
I am checking the typos.
I am not sure I understand this one. There are two parts here: the sandbox object (secure, completely controlled by the owner) and the code string (can be injected). If a developer does crazy stuff in the sandbox (like exposing global inside getters) it's his/her own fault. If the sandbox itself doesn't expose globals but the code string can somehow get access to them, then it's the fault of nx-compile. Or did you mean creating objects with getters inside the code string?

Thx for all the feedback!

Answer 3 · 2016-08-17T10:36:16.000Z

i dont know, it probably doesnt matter, as long as its sandboxed.

Regarding 3. - i'm also not so sure and just guessing from a gut feeling, but:

What would happen if somebody would define a has and a get function inside the source code that will be put into the sandbox, so that they maybe affect your designed has and get functions by somehow shadowing the - so that when they are supposed to be called and prevent access to the global object, the ones defined in the source allow the access to the global object instead.
...maybe this wouldnt work, but maybe it would?

Answer 4 · 2016-08-17T11:02:29.000Z

Oh, I got it.

It won't cause issues. has and get are both part of the Proxy. Firstly I don't think they are actually added as properties to the Proxy object. Secondly it is not possible to figure this out, since even if they are added as properties Proxies are transparent. Meaning that if you have const proxy = new Proxy(obj, {get, has}) and try to do proxy.get, it will always look for get inside obj instead of proxy.

This is the theory, I also tested it quickly to make sure. I think I will include a test for this case to make it clear.

(Side note: if you are interested, someone else found another issue that I am currently struggling with: https://www.reddit.com/r/javascript/comments/4xz2n8/writing_a_javascript_framework_sandboxed_code/)

Answer 5 · 2016-08-17T14:08:50.000Z

This fix is on master with documentation and test coverage. I will close this issue now.

Answer 6 · 2016-08-17T21:15:25.000Z

I wasn't thinking about proxy.get or obj.get (or .has) ...
What if the source code defines a function has () { return false} ... will they maybe be called when proxy.has is used to look up stuff instead of

function has (target, key) {
  if (isAllowedGlobal(key)) {
    return Reflect.has(target, key)
  }
  return true
}

Answer 7 · 2016-08-17T21:49:52.000Z

Nope, there is no way to access or overwrite the Proxy traps (has and get) from inside the code.

Answer 8 · 2016-08-17T22:19:40.000Z

ok perfect :-) thats awesome. I also read the reddit thing. Will follow this repo.
It's nice to have a vm in ~20lines of code
👍

Answer 9 · 2016-08-17T22:25:05.000Z

Great (:
I am glad you like it. Thx for the comments.