Is there Deno VM like NodeJS.vm ?

[skaneprime]

Hi! In NodeJS there was module "vm" which allowed you to run untrusted code in new context
The one limit was that you couldn't run TYPESCRIPT code in NodeJS's vm

But I didn't find any of that in Deno. Is there a way to run untrusted TYPESCRIPT code in Deno with a context?

[lucacasonato]

The "vm" module in Node can not be used to run untrusted code. It is not a security mechanism! Let me repeat,

The "vm" module in Node is NOT a security mechanism! Do not use it to run untrusted code! If you do this in production, shut down the server right now.

Read the first line in the Node.js docs: https://nodejs.org/api/vm.html#vm_vm_executing_javascript

---

Deno can run untrusted code in web workers if you constrain their permissions. They make for a more adequate sandbox. With just web workers you might be vulnerable to in process timing attacks. To prevent this, use deno subprocesses instead of workers.

[lucacasonato]

No - don't use contexts to run untrusted code.

If you want a custom runtime with custom builtins, you can build one in Rust by utilizing deno_core.

[kitsonk]

What is the use case?

If you want to adjust the context before you run unstrusted code, you can adjust whatever you want and then do an import("./my_untrusted_code.ts"). If it is truly dynamic, you can use a data URL or a blob URL to dynamically import the code.

[skaneprime]

What is the use case?

If you want to adjust the context before you run unstrusted code, you can adjust whatever you want and then do an import("./my_untrusted_code.ts"). If it is truly dynamic, you can use a data URL or a blob URL to dynamically import the code.

The deal is that you can't do it with this way. If the project is built to binary then you can't use import

[skaneprime]

Btw I'm struggling with building custom runtime in rust with deno_core Is there any information to learn about this?

[skaneprime]

anyone? 😥