A recently revised JavaScript library now makes it possible to run untrusted JavaScript code, in either Node.js or a modern browser, via a sandboxed environment that provides a controlled way to determine its behavior.
Hostile code can be written in any language and JavaScript is no exception, whether it's run in a Node.js instance or in a web browser. Often, the only way to determine how a piece of JavaScript will really behave is to run it and watch the results -- preferably isolated inside a VM. But this isn't always practical.
Jailed, written by JavaScript developer Dmitry Prokashev, uses native JavaScript functions to load a set of JavaScript code into a sandboxed environment and export functions to the outside world.
"The untrusted code may then interact with the main application by directly calling those functions," writes Prokashev in his explanation of Jailed, "but the application owner decides which functions to export, and therefore what will be allowed for the untrusted code to perform."
Remarkably, as of its latest 0.3.0 release, Jailed works interchangeably in both of JavaScript's two main sweet spots: Node.js and browsers.
With the Node.js runtime, which is now the standard server-side environment for running JavaScript, Jailed uses a restricted subprocess to execute the code. The parent Node.js process communicates by way of the send() method, essentially a remote procedure call.
Jailed's other specialty -- modern web browsers -- is arguably the one area you'd most want on-the-fly isolation from untrusted code. Jailed works in that situation by spawning a web worker background thread and running the script in a sandboxed iFrame.
Prokashev notes there are still limitations with Jailed, many of them rooted in JavaScript's implementation in browsers. For instance, if you load Jailed in a browser from a local source (such as a file:// URL), any code it loads will also have access to the local filesystem. This can be avoided by loading the code from a local server or by running it in a Node.js instance.
Due to JavaScript's small standard library, a great deal of the functionality JavaScript apps rely on is offloaded to third-party libraries. It's tough to determine at a glance if a given library can be fully trusted or if its behavior would be bad news with a specific app -- which Jailed could do handle easily.
Jailed could be expanded to accomplish this by making it part of an automated code-testing methodology. Normally, when testing code with Jailed, the developer needs to manually map the functions inside the sandbox to functions outside of it. A test framework could automatically enumerate the untrusted code's functions, export them as a list, and optionally have that listed reviewed by the developer before hooking them up to other functions.