Comments (19)
I would catch the exception on the jailed side and notify the application then. Would that work?
from jailed.
Thank you for answering.
I think it would not work because I'm running untrusted code from other users and they can do wrong/buggy code.
Could it be possible to add in _pluginNode.js something like:
process.on('uncaughtException', function(e){
printError(e)
process.send({type: 'executeFailure'});
})
and remove the try-catch in line 40? Or there is an easier way to do that without changing the user's code? (I can inject code before and after the user's source code too.)
Thank you.
from jailed.
It seems like you provide user's code directly into the sandbox. What I suggest, is that you create a sandboxed code yourself, create a try-catch block in there, and then send user's code as a string and evaluate it.
from jailed.
That works well if I'm not executing async code:
I've tried:
function task(){
try{
eval(userCode)
}catch(e){
application.remote.logError(e)
}
}
where userCode is a string with the code:
application.remote.asyncFunction(function(data){
foo()//this function is not defined
})
Where asyncFunction gets data from the DB or Internet.
Then I can't caputre the exception.
from jailed.
Ok, now I see. From my perspective the sandbox is created to protect the application. Maybe Jailed should restrict anything asynchronous then..
In your case: what if you have all the asynchronous stuff on your side? Like an exported method on the application site which is provided to the sandbox. Then you can also control the asynchronous callback. Or you create an API on the side of the sandbox. Would that work for you?
You are right about the issue - currently the main application is not notified if an unhandled exception is thrown inside a sandbox, I will need to investigate on this. (Let me know if you have some suggestions)
from jailed.
In my case I let the user access a list of external services (DB, webservices, ...) and process the data returned. I don't know apriori what will they do. Also I need to notify them if their code fails (they will have a log).
I would suggest adding the line:
process.send({type: 'executeFailure'});
in the file _pluginNode.js
process.on('message', function(m) {
switch(m.type){
case 'import':
importScript(m.url);
break;
case 'importJailed':
importScriptJailed(m.url);
break;
case 'execute':
execute(m.code);
break;
case 'message':
// unhandled exception would break the IPC channel
try {
conn._messageHandler(m.data);
} catch(e) {
printError(e.stack);
process.send({type: 'executeFailure'});
}
break;
}
});
Then the callback plugin.whenFailed is executed and the parent process can handle the error. Also it would be cool to be able to know what has failed:
try {
conn._messageHandler(m.data);
} catch(e) {
printError(e.stack);
process.send({type: 'executeFailure', error: e});
}
And then from the callback in the parent process:
plugin.whenFailed(function(error){
console.error('plugin failed', error)
})
Thank you for the interest.
from jailed.
In your example:
...
case 'message':
...
This happens when the application sends a message to the sanbox, not when there's an asynchronous function invoked inside the sandbox. Right?
from jailed.
When an undefined function is tried to execute I get this in the stderr:
ReferenceError: foo is not defined
at DYNAMIC PLUGIN:8:5
at DYNAMIC PLUGIN:115:9
at JailedSite._processMessage (/xxx/node_modules/jailed/_JailedSite.js:126:21)
at Object._messageHandler (/xxx/node_modules/jailed/_JailedSite.js:29:32)
at process.<anonymous> (/xxx/node_modules/jailed/_pluginNode.js:41:18)
at process.emit (events.js:110:17)
at handleMessage (child_process.js:324:10)
at Pipe.channel.onread (child_process.js:352:11)
In node_modules/jailed/_pluginNode.js:41:18 there is a try-catch and I've seen that if the line process.send({type: 'executeFailure'}); is added the failure is reported to the parent process.
I don't know if this will catch all the exceptions and it may be better solutions.
from jailed.
ok, will investigate on this on the weekend. thanks for pointing out the issue :-)
from jailed.
Any progress on this issue @asvd?
from jailed.
@meaku sorry, not yet. currently preparing a new release providing the browser-compatibility, all new features will go on to the next release I guess.
from jailed.
Thanks for the quick reply :)
from jailed.
I just wanted to say that I agree with this issue and that there should also be an option to disable automatically printing errors.
I hacked together a workable solution but it would be great if someone knowledgeable on the project could tackle it.
Here is what I did:
I had to modify Whenable to take a data parameter:
Whenable.prototype.emit = function(data){
if (!this._emitted) {
this._emitted = true;
var handler;
while(handler = this._handlers.pop()) {
setTimeout(handler,0, data);
}
}
}
I had to modify executeJailed to include the error.
} catch (e) {
printError(e.stack);
fCb(e.stack);
}
I had to add the callback in execute to send the failure:
var fCb = function(e) {
process.send({type: 'executeFailure', error: e});
}
And I added it to the DynamicPlugin connect function (I am only using Dynamic)
this._fCb = function(e){
me._fail.emit(e);
me.disconnect();
}
from jailed.
I've extended what @taikuukaits said in #8 (comment) here:
Push-EDX@8664d32
It now allows you to do so:
plugin.whenFailed(function(e) {
console.error(e.stack);
})
Basically, it is exported stack
, name
and message
from the javascript error. It is only tested on browser (chrome) but should work elsewhere.
@asvd I can open a PR if you want too. I'd do it already, but I want your opinion on the other editions (blanks and so on) it was the editor
from jailed.
@gpascualg thank you for the effort!
In this issue we have the two problems:
- Error details are not reported to the parent process for synchronous calls inside a jailed plugin;
- Asynchoronous errors are not handled at all.
Your proposed changeset only covers the first item. Second is a more complex problem which should probably be solved with something like suggested in #8 (comment)
This issue keeps open for the latter problem. The proposed event, which will fire even in case of asynchronous exception on a Jailed site can probably include the error details.
Until it is done, the first problem can be worked around by wrapping the code in a try-catch block (on a plugin site), and reporting the error details in through a callback (basically what you did, but on top of Jailed). For this reason I would not merge it into Jailed.
Minor whitespace fixes are just fine, I would just submit those as a separate commit / PR.
from jailed.
@asvd Oups, didn't test that part, I supposed it had been fixed too. Indeed, this would report any syntax error, but probably not a runtime exception on an async task.
I'll see into it, but it will be a few days until I have time to really do any work. I'll keep you updated.
from jailed.
Hi, I think I've got a hack that solves both problems listed by @asvd: I'm using a older version of the library so I just created a new repository and added the changes in the following commit:
anderson-/jailedWithExceptions@9e19c4b
I'm not an expert in this library, so I don't really know if this is the right way to go... Hope this is useful for someone :)
from jailed.
@anderson- I can only see that you wrapped the method
invocation. I think it will not handle the asynchronous exceptions scheduled by the method
.
from jailed.
@anderson- I had problems with , error: e
, as both NodeJS and Chrome refused to copy the whole object. That is why in my branch I only copy stack
, name
and message
.
The error was something along the lines of "could not clone object".
from jailed.
Related Issues (20)
- unable to find application object
- Dom manipulation in jailed HOT 1
- Write code without application.remote HOT 2
- Just tried the base example - Getting permission issue HOT 5
- Why is the Web Worker inside an iframe? HOT 4
- Exposing values from the app to the jailed worker. HOT 1
- Best way to pass large data set into jailed script (browser)?
- Cannot read property 'whenEmitted' of undefined
- Add setting for "fallback to iframe jailing only" functionality, and timeout value
- Improve Jail Isolation via Content-Security-Policy HOT 1
- CVE-2022-23923 HOT 2
- Pass values to jailed code HOT 2
- Passing interface with sub functions not working
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
- Sandbox Escape Bug in jailed with Node.js
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jailed.