-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When using the sandbox option, scripts always parse/run in strict mode, even when they don't specify the use strict;
directive.
#442
Comments
This issue is stopping me from using |
By any chance does |
Yes, every module required in the sandbox is evaluated in strict mode. Therefore, only the this on the top level of the module is bound to the global and this of functions in the module behave the normal strict mode way. |
Is strict more required for the sandbox to function correctly? If so, would you care to share why that is (apologies if I missed it in the README or another issue comment)? If not, is there some other reason to be forcing strict mode instead of only enabling it when the |
This was the behavior in NodeVM for a long time. I can't tell you why this is. It can be circumvented with the following class class NonStrictNodeVM extends NodeVM {
run(script, options) {
if (typeof(options) === 'object' && options !== null) {
options = Object.assign({}, options);
options.strict = false;
}
return super.run(script, options);
}
} |
Thanks for that. That does appear to be a viable workaround for this issue. I think however that, assuming that strict mode isn't necessary for security, it'd align better with user expectation if Now I have a new issue, but I'll raise that separately. |
@XmiliaH are you able to say whether a PR would be accepted that 1) makes the default value of I realize this would be a breaking change, however I think this would likely align better with most users' expected behavior w.r.t. strict mode/parsing. |
this
isn't bound to global
in required modules when the require context is sandbox
.use strict;
directive.
I already have a patch which adds |
Oh that's great, thanks. I'll comment any further thoughts on that PR. In the meantime unless you prefer to close this, I'll leave it open until #448 is merged. |
Description
This description was edited from its original text to reflect the latest understanding of the issue.
I'm running some code in a sandboxed
NodeVM
. Thesource-map-support
module, which is a transitive dependency of my sandboxed code, is written with the expectation that thethis
keyword will resolve toglobal
by default (non-strict mode processing). Neither my script, nor this module include theuse strict;
directive.Repro code
sandboxed.js:
payload.js:
Repro Explanation
I'd expect that running
node sandboxed.js
would produce the same result as runningnode payload.js
. Instead,sandboxed.js
fails withTypeError [Error]: Cannot read property 'globalVar' of undefined
. This failure occurs at theconsole.log
line inside of thefoo
function.The text was updated successfully, but these errors were encountered: