All geek questions in one place

JavaScript isolated execution context

I am trying to execute a piece of code in an empty isolated execution context in JavaScript. In the example below, I am trying to isolate the execution area isolated . I want to execute a function in a context in which there are no global variables.

 (function() { 'use strict'; var scope = Object.create(null); var isolated = function() { 'use strict'; console.log(document); // Trying to get undefined // but traces `document`. }; isolated.call(scope); })();

I thought it was easy to collapse global variables, but there are too many of them!

 var isolated = function(window, document, location /* etc */) { // ... }; isolated.call(scope, undefined, undefined, undefined /* etc */);

Is there a better way to do this?

+2
source share
3 answers

There is no good way to do this in javascript itself (but see Gareth Hayes answer for another option).

There are several bad ways.

 (function() { var scope = Object.create(null); var obscurer = {}; for (var key in this) { obscurer[key] = undefined; } with (obscurer) { var isolated = function() { 'use strict'; console.log(document); }; } isolated.call(scope); })();

Note that you really get the error message because the console is not defined, not the document, although you can fix this without blocking the “console” in the “unscientific” object. You will probably find that you need a whole group of more global variables than you realize.

You also block the enumerated properties of the window. If you learn about immeasurable properties that you want to block, you will have to add them to the dark.

Of course, using with means that you can no longer use strict mode, and everyone will look down at you with their noses.

There are more interesting options if you are working in node and not in a browser.

+4
source

Use my MentalJS analyzer to isolate the environment. Then you can choose which objects / variables it has access to by setting the code.

http://businessinfo.co.uk/labs/MentalJS/MentalJS.html

http://code.google.com/p/mentaljs/

By default, it allows you to access the document, but you can prevent this, configure the environment here http://code.google.com/p/mentaljs/source/browse/trunk/MentalJS/javascript/Mental.js#260 , after which you can choose whether they have access to math, etc.

+2
source

This can be done without ECMA6 using IIFE, which contains your security code against which you want the security code to enter the security code (see example).

 (function(injectedFunction) { /* Trusted code, that needs protection from untrusted code access */ var hostingFuncPrivatePrimitive = "Hello there"; var hostingFuncPrivateObject = { this_is_mine: true }; var sharedPrimitive = 'This is shared'; var sharedObject = {}; // Running the untrusted code: injectedFunction(sharedPrimitive, sharedObject); console.log("sharedObject is: " + JSON.stringify(sharedObject)); console.log("hostingFuncPrivateObject is: " + JSON.stringify(hostingFuncPrivateObject)); })( (function(primitiveArg, objArg) { /* Untrusted code that needs isolation */ // 1. using primitive (legal) console.log('primitiveArg is: ' + primitiveArg); // 2. Writing value to given objArg (legal): objArg.mumu = 'mimi'; // 3. Trying to access host function variables (illegal) try { console.log('hostingFuncPrivatePrimitive is:' + hostingFuncPrivatePrimitive); hostingFuncPrivateObject.this_is_mine = false; } catch (e) { console.log(e); } }) );

If you place higher in the Chrome console, you will get:

  primitiveArg is: This is shared VM117:29 ReferenceError: hostingFuncPrivatePrimitive is not defined at <anonymous>:26:17 at <anonymous>:11:5 at <anonymous>:16:3 VM117:12 sharedObject is: {"mumu":"mimi"} VM117:13 hostingFuncPrivateObject is: {"this_is_mine":true}

PS: I know I'm late for the party, but maybe this helps someone.

0
source

Source: https://habr.com/ru/post/1270107/

More articles:


All Articles