浅谈Node.js 沙箱环境

node官方文档里提到node的vm模块可以用来做沙箱环境执行代码，对代码的上下文环境做隔离。

/A common use case is to run the code in a sandboxed environment. The sandboxed code uses a different V8 Context, meaning that it has a different global object than the rest of the code.

先看一个例子

const vm = require('vm');let a = 1;var result = vm.runInNewContext('var b = 2; a = 3; a + b;', {a});console.log(result);  // 5console.log(a);     // 1console.log(typeof b); // undefined

沙箱环境中执行的代码对于外部代码没有产生任何影响，无论是新声明的变量b，还是重新赋值的变量a。 注意最后一行的代码默认会被加上return关键字，因此无需手动添加，一旦添加的话不会静默忽略，而是执行报错。

const vm = require('vm');let a = 1;var result = vm.runInNewContext('var b = 2; a = 3; return a + b;', {a});console.log(result);console.log(a);console.log(typeof b);

如下所示

evalmachine.<anonymous>:1var b = 2; a = 3; return a + b;         ^^^^^^SyntaxError: Illegal return statement  at new Script (vm.js:74:7)  at createScript (vm.js:246:10)  at Object.runInNewContext (vm.js:291:10)  at Object.<anonymous> (/Users/xiji/workspace/learn/script.js:3:17)  at Module._compile (internal/modules/cjs/loader.js:678:30)  at Object.Module._extensions..js (internal/modules/cjs/loader.js:689:10)  at Module.load (internal/modules/cjs/loader.js:589:32)  at tryModuleLoad (internal/modules/cjs/loader.js:528:12)  at Function.Module._load (internal/modules/cjs/loader.js:520:3)  at Function.Module.runMain (internal/modules/cjs/loader.js:719:10)

除了runInNewContext外，vm还提供了runInThisContext和runInContext两个方法都可以用来执行代码 runInThisContext无法指定context

const vm = require('vm');let localVar = 'initial value';​const vmResult = vm.runInThisContext('localVar += "vm";');console.log('vmResult:', vmResult);console.log('localVar:', localVar);console.log(global.localVar);

由于无法访问本地的作用域，只能访问到当前的global对象，因此上面的代码会因为找不到localVal而报错

evalmachine.<anonymous>:1localVar += "vm";^ReferenceError: localVar is not defined  at evalmachine.<anonymous>:1:1  at Script.runInThisContext (vm.js:91:20)  at Object.runInThisContext (vm.js:298:38)  at Object.<anonymous> (/Users/xiji/workspace/learn/script.js:3:21)  at Module._compile (internal/modules/cjs/loader.js:678:30)  at Object.Module._extensions..js (internal/modules/cjs/loader.js:689:10)  at Module.load (internal/modules/cjs/loader.js:589:32)  at tryModuleLoad (internal/modules/cjs/loader.js:528:12)  at Function.Module._load (internal/modules/cjs/loader.js:520:3)  at Function.Module.runMain (internal/modules/cjs/loader.js:719:10)