Uncaught (in promise) Error: Static method or property access not permitted
Closed this issue · 6 comments
import * as _ from 'lodash'
const prototypeWhitelist = Sandbox.SAFE_PROTOTYPES
const sandbox = new Sandbox({
globals: {
_: lodash,
},
prototypeWhitelist,
})code: _.trim(' 123 ')
Uncaught (in promise) Error: Static method or property access not permitted: lodash.trim
It works when I added:
const prototypeWhitelist = Sandbox.SAFE_PROTOTYPES
prototypeWhitelist.set(_, new Set())However, why the second parameter is new Set()? And I have to do the same to Date on both globals and prototypes. Any more documentation for details? Thanks.
btw the example with alert cannot work with error: Uncaught (in promise) TypeError: Illegal invocation
It is recommended not to inject lodash to the sandbox because it can be used to use unsafe eval with _.template. The new Set() is for whitelisting prototype methods, its a set of strings which are method names, which you can use to handpick the safe methods from lodash.
Thanks for the tip. What if I remove template? Would that be safe?
It's recommended to pick only the methods you need, and inspect the implementation of each one for vulnerabilities. That might be harder than it sounds, but if they do simple things and no arbitrary property access then it should be safe.
There is risk with any library you add, but some libraries do a lot more than they should, or do things in ways that don't consider security. Lodash is a nice tool but it does mostly simple things in complicated ways, so I would recommend avoiding adding such a library, because of the risk/benefit associated with it.
Alternatively it's possible to evaluate lodash itself inside sandboxjs, and then it would be safe to use. However I have not fully tested such a large library yet, so your milage may vary.