How to run user-submitted modules securely in a node.js?

Question

We are planning to develop a business oriented application platform on node.js + express. And we like to allow users to run their own native node.js modules (set of files js, css, html), so generally it should be like portal and portles/servlets. Users should have ability to install modules on server side with its client part and these modules should interact with platform and other modules throw some api. So needed to isolate these modules from direct access to the system files and database, but they should have access to their own files and database. Please help me what direction should we dig to make it secure. I have checked information about: sandbox in vm and child process.

I tried:

// Main file:
var util = require('util'),
  vm = require('vm'),
  fs = require('fs'),
  sandbox = {
    animal: 'cat',
    count: 2,
    require: require // I pass it to make possible for the module to
                     // include some additional files 
                     // but it opens access for all system files
  };
var context = vm.createContext(sandbox);

fs.readFile('./user_modules/index.js', 'utf8', function (err, data) {
  vm.runInNewContext(data, context);
  console.log(util.inspect(context));
});


//** User Module 
// user_modules/index.js

var fs = require('fs');
count++;
animal = 'Dog';

fs.readFile('README.md', 'utf8', function (err, data) {
  animal = 'Fox';
});

I passed REQUIRE object to module to make possible to include some additional files but it opens access for all system files, is it possible to tell VM or child process to work only with specific folders? Currently I have no idea how to work with database, but I think when user will install his module the platform should copy all files and create a db scheme for the user then when the module will launch I need pass only object which connected to the user dbscheme .

Please help me, I’m really new with nodes, any suggestions how to solve my issue?

Thanks in advance

Answer 1

One thing you could do is to create a shim function around require that does whatever validation you want, and then calls the system's require function. You can then pass that in to the sandbox as a replacement for "require".

I'm not sure of all the changes that would be necessary to make a "secure" sandbox for node.js. To some extent, that's going to depend on what the user-submitted modules need to do.

One way to help ensure that the user modules can't interfere with your code would be to run them in their own process. On a unix system, you can use chroot to create an isolated filesystem for the process to run in, and then communicate with the process over a stdio pipe, or a socket.