js-vm
v0.1.4
Published
Pure ECMAScript 5 implementation of the Node.js VM API
Downloads
16
Readme
js-vm
js-vm
is a highly secure, fully compatible implementation of the Node.js VM API in pure ECMAScript 5. It may be used as a vm
shim in webpack. It has a footprint of 7KB and does not depend on browser technologies such as the DOM.
js-vm
is designed with high demands in efficiency and security:
- Code is transpiled only on the basis of native
RegExp
tokenization and no AST is created, increasing speed by a factor of 100K. Costs of initialization are minimal, noiframe
or similar is created at runtime. - Security measures are designed to be immune to extensions of the ECMAScript grammar (non-standard extensions, future extensions). The package works with standardized ES5 features only, making results highly predictable and security best assessable.
Installation
Install this package using NPM:
npm install js-vm
Usage
var vm = require('js-vm');
var sandbox = { console };
vm.runInNewContext('console.log("Hello world")', sandbox);
See the Node.js vm
documentation.
Method
js-vm
executes scripts subsequently in the same global scope. No
iframe
or Web Worker is instantiated at runtime and execution is
carried out solely by means of eval
execution of RegExp
-transpiled
code.
To achieve this, from the perspective of an executed script, built-in
global objects (not the global object itself) are
frozen. Any modifications on properties or sub-properties of built-in
objects (such as Object.prototype.toString
)
will be discarded (see the behavior of Object.freeze()
).
js-vm
will not freeze any objects of the host script but will attempt
to execute scripts in a separate global scope whenever technically
viable (for example, by means of a hidden iframe
that is created only
once and then reused).
Comparison
js-vm
differs from vm
in the following points:
Limitations
- All scripts run in strict mode (or a superset, depending on browser support).
- Built-in objects (
Object
,Array
,Date
etc.) and their prototypes are immutable. This includes properties such asRegExp.lastMatch
, which would normally change dynamically.
Extensions
- The
timeout
option limits the execution time of the script itself but also of functions defined in the script that are called once the main script has terminated, such as events, timeouts etc.
License
© 2016 Filip Dalüge, all rights reserved.