Practical use of application sandbox environment

This time I will bring you the actual use of the application sandbox environment. What are the precautions for the actual use of the application sandbox environment? The following is a practical case, let's take a look.

What are the scenarios for dynamically executing scripts?

In some applications, we hope to provide users with the ability to insert custom logic, such as VBA in Microsoft Office, such as lua scripts in some games, and FireFox's "Grease Monkey Script". It allows users to use their imagination to do some fun and useful things within controllable scope and authority, expanding capabilities to meet users' personalized needs.

Most of them are client programs, and there are often similar requirements in some online systems and products. In fact, many online applications also provide the ability to customize scripts, such as Google Apps Script in Docs, which lets you do some very useful things with JavaScript, such as running code in response to document open events or cell change events, making custom spreadsheet functions for formulas, and more.

Different from client applications running "in the user's computer", the user's custom scripts can usually only affect the user himself. For online applications or services, some situations become even more complicated. Importantly, such as "security", the user's "custom script" must be strictly restricted and isolated, that is, it cannot affect the host program or other users.

Safeify is a module for Nodejs applications that is used to safely execute user-defined untrusted scripts.

How to safely execute dynamic scripts?

Let’s first take a look at how to dynamically execute a piece of code in a JavaScript program? For example, the famous eval

eval('1 2')

The above code was executed smoothly without any problem. eval is a function attribute of the global object. The code has the same permissions as other normal codes in the application process. It can access local variables in the "execution context" and can also access all "global variables". In this scenario, it is a very dangerous function.

Let’s look at Functionn again. Through the Function constructor, we can dynamically create a function and then execute it

const sum = new Function('m', 'n', 'return m + n');
console.log(sum(1, 2));

It also executes smoothly, using the function generated by the Function constructor, Closures are not created in the context in which they are created, but are generally created in the global scope. When running a function, you can only access its own local variables and global variables, but not the scope of the context generated by the Function constructor being called. Just like one standing on the ground and the other standing on a thin piece of paper, in this scene, there is almost no distinction between superior and inferior.

Combined with ES6's new feature Proxy, it can be safer

function evalute(code,sandbox) {
 sandbox = sandbox || Object.create(null);
 const fn = new Function('sandbox', `with(sandbox){return ($[code])}`);
 const proxy = new Proxy(sandbox, {
 has(target, key) {
  // 让动态执行的代码认为属性已存在
  return true; 
 }
 });
 return fn(proxy);
}
evalute('1+2') // 3
evalute('console.log(1)') // Cannot read property 'log' of undefined

We know that no matter eval or function, the scope will be searched layer by layer during execution. If it is not found, it will continue to To global, the principle of using Proxy is to let the executed code be found in sandobx to achieve the purpose of "anti-escape".

In the browser, you can also use iframe to create an isolation environment that is safe for re-transmission. This article also focuses on Node.js and will not discuss it too much here.
In Node.js, are there any other options?

Perhaps you have already thought of VM before seeing this. It is a built-in module provided by Node.js by default. The VM module provides a series of APIs for compiling and executing in the V8 virtual machine environment. Run the code. JavaScript code can be compiled and run immediately, or compiled, saved, and then run.

const vm = require('vm');
const script = new vm.Script('m + n');
const sandbox = { m: 1, n: 2 };
const context = new vm.createContext(sandbox);
script.runInContext(context);

Execute the above code to get the result 3. At the same time, you can also specify the "maximum number of milliseconds" for the code execution through vm.Script. If the specified time exceeds the specified time, the execution will be terminated and an exception will be thrown.

try {
 const script = new vm.Script('while(true){}',{ timeout: 50 });
 ....
} catch (err){
 //打印超时的 log
 console.log(err.message);
}

The execution of the above script will fail. A timeout is detected and an exception is thrown. Then it is captured by Try Cache and logged. However, it should be noted that the timeout option of vm.Script is "only for synchronous generation." Valid", not including the time of asynchronous calls. For example,

const script = new vm.Script('setTimeout(()=>{},2000)',{ timeout: 50 });
 ....

The above code will not throw an exception after 50ms, because the synchronous execution of the code above 50ms will definitely be completed, and the time used by setTimeout does not Counting this, that is to say, the vm module has no way to directly limit the execution time of asynchronous code. We also cannot use an additional timer to check the timeout, because there is no way to abort the executing vm after checking it.

In addition, in Node.js, vm.runInContext seems to isolate the code execution environment, but in fact it is easy to "escape".

const vm = require('vm');
const sandbox = {};
const script = new vm.Script('this.constructor.constructor("return process")().exit()');
const context = vm.createContext(sandbox);
script.runInContext(context);

执行上边的代码，宿主程序立即就会「退出」，sandbox 是在 VM 之外的环境创建的，需 VM 中的代码的 this 指向的也是 sandbox，那么

//this.constructor 就是外所的 Object 构建函数
const ObjConstructor = this.constructor; 
//ObjConstructor 的 constructor 就是外包的 Function
const Function = ObjConstructor.constructor;
//创建一个函数，并执行它，返回全局 process 全局对象
const process = (new Function('return process'))(); 
//退出当前进程
process.exit();

没有人愿意用户一段脚本就能让应用挂掉吧。除了退出进程序之外，实际上还能干更多的事情。

有个简单的方法就能避免通过 this.constructor 拿到 process，如下：

const vm = require('vm');
//创建一外无 proto 的空白对象作为 sandbox
const sandbox = Object.create(null);
const script = new vm.Script('...');
const context = vm.createContext(sandbox);
script.runInContext(context);

但还是有风险的，由于 JavaScript 本身的动态的特点，各种黑魔法防不胜防。事实 Node.js 的官方文档中也提到 VM 当做一个安全的沙箱去执行任意非信任的代码。

有哪些做了进一步工作的社区模块？

在社区中有一些开源的模块用于运行不信任代码，例如 sandbox、vm2、jailed 等。相比较而言 vm2 对各方面做了更多的安全工作，相对安全些。

从 vm2 的官方 READM 中可以看到，它基于 Node.js 内建的 VM 模块，来建立基础的沙箱环境，然后同时使用上了文介绍过的 ES6 的 Proxy 技术来防止沙箱脚本逃逸。

用同样的测试代码来试试 vm2

const { VM } = require('vm2');
new VM().run('this.constructor.constructor("return process")().exit()');

如上代码，并没有成功结束掉宿主程序，vm2 官方 REAME 中说「vm2 是一个沙盒，可以在 Node.js 中按全的执行不受信任的代码」。

然而，事实上我们还是可以干一些「坏」事情，比如：

const { VM } = require('vm2');
const vm = new VM({ timeout: 1000, sandbox: {}});
vm.run('new Promise(()=>{})');

上边的代码将永远不会执行结束，如同 Node.js 内建模块一样 vm2 的 timeout 对异步操作是无效的。同时，vm2 也不能额外通过一个 timer 去检查超时，因为它也没有办法将执行中的 vm 终止掉。这会一点点耗费完服务器的资源，让你的应用挂掉。

那么或许你会想，我们能不能在上边的 sandbox 中放一个假的 Promise 从而禁掉 Promise 呢？答案是能提供一个「假」的 Promise，但却没有办法完成禁掉 Promise，比如

const { VM } = require('vm2');
const vm = new VM({ 
 timeout: 1000, sandbox: { Promise: function(){}}
});
vm.run('Promise = (async function(){})().constructor;new Promise(()=>{});');

可以看到通过一行 Promise = (async function(){})().constructor 就可以轻松再次拿到 Promise 了。从另一个层面来看，况且或许有时我们还想让自定义脚本支持异步处理呢。

如何建立一个更安全一些的沙箱？

通过上文的探究，我们并没有找到一个完美的方案在 Node.js 建立安全的隔离的沙箱。其中 vm2 做了不少处理，相对来讲算是较安全的方案了，但问题也很明显，比如异步不能检查超时的问题、和宿主程序在相同进程的问题。

没有进程隔离时，通过 VM 创建的 sanbox 大体是这样的

那么，我们是不是可以尝试，将非受信代码，通过 vm2 这个模块隔离在一个独立的进程中执行呢？然后，执行超时时，直接将隔离的进程干掉，但这里我们需要考虑如下几个问题

通过进程池统调度管理沙箱进程

如果来一个执行任务，创建一个进程，用完销毁，仅处理进程的开销就已经稍大了，并且也不能不设限的开新进程和宿主应用抢资源，那么，需要建一个进程池，所有任务到来会创建一个 Script 实例，先进入一个 pending 队列，然后直接将 script 实例的 defer 对象返回，调用处就能 await 执行结果了，然后由 sandbox master 根据工程进程的空闲程序来调度执行，master 会将 script 的执行信息，包括重要的 ScriptId，发送给空闲的 worker，worker 执行完成后会将「结果 + script 信息」回传给 master，master 通过 ScriptId 识别是哪个脚本执行完毕了，就是结果进行 resolve 或 reject 处理。

这样，通过「进程池」即能降低「进程来回创建和销毁的开销」，也能确保不过度抢占宿主资源，同时，在异步操作超时，还能将工程进程直接杀掉，同时，master 将发现一个工程进程挂掉，会立即创建替补进程。

处理的数据和结果，还有公开给沙箱的方法

进程间如何通讯，需要「动态代码」处理数据可以直接序列化后通过 IPC 发送给隔离 Sandbox 进程，执行结果一样经过序列化通过 IPC 传输。

其中，如果想法公开一个方法给 sandbox，因为不在一个进程，并不能方便的将一个方案的引用传递给 sandbox。我们可以将宿主的方法，在传递给 sandbox worker 之类做一下处理，转换为一个「描述对象」，包括了允许 sandbox 调用的方法信息，然后将信息，如同其它数据一样发送给 worker 进程，worker 收到数据后，识出来所「方法描述对象」，然后在 worker 进程中的 sandbox 对象上建立代理方法，代理方法同样通过 IPC 和 master 通讯。

最终，我们建立了一个大约这样的「沙箱环境」

如此这般处理起来是不是感觉很麻烦？但我们就有了一个更加安全一些的沙箱环境了，这些处理。笔者已经基于 TypeScript 编写，并封装为一个独立的模块 Safeify。

GitHub: https://github.com/Houfeng/safeify，欢迎 Star & Issues

最后，简单介绍一下 Safeify 如何使用，通过如下命令安装

npm i safeify --save

在应用中使用，还是比较简单的，如下代码（TypeScript 中类似）

import { Safeify } from './Safeify';
const safeVm = new Safeify({
 timeout: 50,     //超时时间，默认 50ms
 asyncTimeout: 500,  //包含异步操作的超时时间，默认 500ms
 quantity: 4      //沙箱进程数量，默认同 CPU 核数
});
const context = {
 a: 1, 
 b: 2,
 add(a, b) {
  return a + b;
 }
};
const rs = await safeVm.run(`return add(a,b)`, context);
console.log('result',rs);

相信看了本文案例你已经掌握了方法，更多精彩请关注php中文网其它相关文章！

推荐阅读：

ajax怎样动态增加表格的tr与td

react+antd做一个后台管理系统

The above is the detailed content of Practical use of application sandbox environment. For more information, please follow other related articles on the PHP Chinese website!