Giter Club home page Giter Club logo

ses's Introduction

Secure EcmaScript

⚠️ This is not an official, working packaging of Google Caja’s SES. This is a project attempting to bring SES to Node.js but will probably not be viable until Node.js 0.12 at least.

SES is a tool that allows mutually suspicious programs to share a single EcmaScript 5 compliant JavaScript context without interfering with each other. It does this by freezing everything that is accessible in global scope, removing interfaces that would allow programs to interfe with each-other, and providing the ability to evaluate arbitrary code in isolation.

SES is a part of the Google Caja project. For JavaScript contexts that do not support EcmaScript 5, Caja depends on compiling JavaScript to a JavaScript subset with static verification and run-time assertions to maintain isolation. With EcmaScript 5, it is possible to run isolated code without a compilation step or run-time checks.

Initialize SES by executing these scripts in order.

  • logger.js
  • repairES5.js
  • WeakMap.js
  • debug.js
  • StringMap.js
  • whitelist.js
  • atLeastFreeVarNames.js
  • startSES.js
  • ejectorsGuardsTrademarks.js
  • hookupSESPlus.js

This is an example of initializing SES in a web page.

<script src="logger.js"></script>
<script src="repairES5.js"></script>
<script src="WeakMap.js"></script>
<script src="debug.js"></script>
<script src="StringMap.js"></script>
<script src="whitelist.js"></script>
<script src="atLeastFreeVarNames.js"></script>
<script src="startSES.js"></script>
<script src="ejectorsGuardsTrademarks.js"></script>
<script src="hookupSESPlus.js"></script>

This is an example of initializing SES in Node.

var FS = require("fs");
var VM = require("vm");
 
var source = FS.readFileSync("initSES.js");
var script = new VM.Script(source);
script.runInThisContext();
 
var f = cajaVM.compileExpr("console.log('hi')");
f({console: console});

Included is a binary runner under the name ses

ses example/code.js

ses's People

Contributors

kriskowal avatar bmeck avatar heath avatar erights avatar

Stargazers

monz avatar Morgan Moskalyk avatar avatar avatar adz avatar Matt McKegg avatar Patrick Sullivan avatar Pieter Ouwerkerk avatar Cat avatar Steve Sewell avatar Mahmoud Rusty Abdelkader avatar David Bruant avatar Jean-Francois Paradis avatar Harlan T Wood avatar Zarutian avatar Dan Connolly avatar JYRICE avatar Angus H. avatar Miles Zimmerman avatar avatar avatar avatar Darius Bacon avatar avatar Thiago F avatar Ron Waldon-Howe avatar Jaeho Lee (Jay) avatar Brian Warner avatar Neuron avatar Tim Shnaider avatar avatar C Dorn avatar Doug Holton avatar Stephen Handley avatar Josh Teneycke avatar Matt Curcio avatar Domenic Denicola avatar Rehan Iftikhar avatar avatar Aaron Heckmann avatar Steve Lloyd avatar Gregg Caines avatar Bryce Baril avatar avatar avatar Arnout Kazemier avatar

Watchers

Brian Warner avatar Caridy Patiño avatar Syoichi Tsuyuhara avatar avatar tom zhou avatar avatar Rehan Iftikhar avatar Mike Samuel avatar Dean Tribble avatar James Cloos avatar Thiago F avatar Jean-Francois Paradis avatar Leo Friedrichs avatar

Forkers

bmeck heath jfparadis

ses's Issues

Object.defineProperty nodejs bug as test262 test

I gather SES on node is somewhat blocked by...

I'm trying to turn this nodejs bug into a test262 test. I gather this might have some impact on its priority.

At first I thought it was out of scope of ECMA 262 because it depends on node's vm API. But then I noticed an API in test262 that reifies the abstract CreateRealm function as $.createRealm.

So I'm trying to supply $.createRealm to the test instead of vm.createContext, but it's not working: when I run node vmbug.js, I get 30 etc. as Kris reports in #5679, but when I run node vmbug2.js I get 20 with a different exception:

R1:  ReferenceError: x is not defined
    at realm1:59:11
    at realm1:65:3
    at ContextifyScript.Script.runInContext (vm.js:37:29)
...
    at tryModuleLoad (module.js:449:12)
R1:  20
R1:  { value: 20,
  writable: false,
  enumerable: false,
  configurable: false }

Any clues what I'm doing wrong?

cc @erights @kriskowal @metaweta @jfparadis

Beware of forced errors and crossing the fakeFunction boundary before serialization:

This test is from node, but is applicable to JS in general, unsure if this is the place to put it or in caja since I don't know the code bases well enough:

console.log({
  get inspect() {return function x() {
    return x.constructor(
      'console', [
        'return (function(){}).constructor("try{a}catch(e){console.log(process)}")()',
      ].join('')
      )(console)
  }}
})

commonjs wrapper / get rid of globals

probably just going to wrap in a different context for first iteration, i can take the issue that far at least. This will have primitives not matching outer context though (which is fine for first iteration).

cajaVM should not be a global, and should have a per instance shared import cache.
API could be something like:

  ses.createVM()

VMs need to provide:

  exports.eval(code) // no way to set the sandbox?
  exports.compileExpr(code, sandbox)
  exports.compileModule(code)(sandbox)
  exports.Function(args..., code)

Have prototype, reading up on caja stuff but docs are inline...

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.