npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

sbx

v2.1.0

Published

Run untrusted code as a VM in a child process

Downloads

39

Readme

sbx


Run untrusted code as a VM in a child process

sbx allows you to run untrusted code in a more secure manner than simply using eval() or function(). To accomplish this, a child process is forked and untrusted code is run in vm with its own context. Inside the vm the untrusted code is wrapped in a try/catch inside an anonymous function in order to capture exceptions and output. Upon completion the context is returned to the user via callback or promise

Notes:
  • Code is run inside an anonymous function and should be written as such
  • Reserved variables _result, _exception, and _stdout are added to the context and should not be set by untrusted code
  • 'use strict' statements are removed from untrusted code as they cause exceptions for passed context variables


Documentation


API

sbx.vm( code, [options], [callback] )

  • code {String} - string of untrusted Javascript to run.
  • [options] {Object} - Options hash
    • [context] {Object} - Hash of key/value pairs that will be passed to the vm and are available to the untrusted code. previously variables
    • [lockdown=true] {Boolean} - If false, require statements will be allowed in order to use external modules
    • [timeout] {Number} - Time in milliseconds before the VM times out
    • [transform] {Function} - A function with the signature transform (code, options) that should return a string of transformed code. This can be used to transform ES6 code using babel see example
    • [parseImports=false] {Boolean} - Parse ES6+ import statements. Should be used with an ES6 source transform function and lockdown=false
  • [callback] {Function} - Error first callback with signature callback(error, context)
Returns

Promise That resolves to an SBXContext

Types

SBXContext

  • _result {any} - The return result of the executed code
  • _exception {Object} - A hash containing the error message, stack trace, and scope of where the exception was caught (the child_process or the vm)
  • _stdout {Array} - An array of stringified values from any calls made by sbx.log() inside the vm
  • [context variables] {any} - Updated context variables

Capturing stdout

All arguments to console methods log, error, info, trace, and warn are automatically added as items in the _stdout context variable

You may also use the sbx.log method which is an alias for console.log

Example

var sbx = require('sbx')

var code = 'x++; console.log(\'I like the number\', x);'

var options = {
  context: { x: 7 },
  timeout: 100
}

var callback = function(error, context) {
  if (error) return console.error(error)
  console.log('The value of x = ', context.x)
}

sbx.vm(code, options, callback)

// > I like the number 8
// > The value of x = 8

Example with external module and promise result

var sbx = require('sbx')

var code      = 'var _ = require("lodash"); x = _.uniq(x); return x;'

var options = {
  context: { x: [1,1,2,2,3,4,5,6,6] },
  lockdown: false
}

sbx.vm(code, options).then(function (context) {
  console.log('The value of x = ', context.x, false)
  console.log(context._result)
}).catch(function (error) {
  console.error(error)
})

// > The value of x = [1, 2, 3, 4, 5, 6]
// > [1, 2, 3, 4, 5, 6]

Example with es2015 transform via babel + logging

var babel = require('babel-core')
var sbx = require('sbx')

var code = 'let fn = (msg) => msg\nsbx.log(message)\nreturn fn(message)'

var options = {
  context: { message: 'test' },
  transform: function (code, opts) {
    return babel.transform(code, {
      presets: ['es2015', 'stage-2'],
      plugins: ['transform-runtime']
    }).code
  }
}

sbx.vm(code, options).then(function(context) {
  console.log('Result = ', context._result)
  console.log(context._stdout)
})

// > Result = test
// > ['test']