🤔 Is combining this with vm2, like, a heroically bad idea?

[rijkvanzanten]

Heya! Apologies to bother you here, but I was just very curious to hear your thoughts on the following (maybe wildly bad) idea as a sort of sanity check:

As part of a low-code development tool, I'm letting the (admin) users create/save a small bit of JavaScript that we execute at certain events. We do this using vm2 to make sure things don't totally explode in case some untrusted code makes it into the system.

When I came across your tweet announcing npx-import, it immediately tickled my imagination: Could we use this to semi-securely allow this untrusted code to require some third party libraries?

Something like this seems to work as expected, but I just wanted your 2¢ on whether this is a heroically bad idea:

import { npxImport } from 'npx-import';
import { NodeVM } from 'vm2';

const vm = new NodeVM({
  sandbox: {
    npxImport,
  },
  eval: false,
  wasm: false,
  require: false,
});

const untrustedCodeExample = `
  module.exports = async function(input) {
    const { default: slugify } = await npxImport('slugify');
    return slugify(input);
  }
`;

const fn = await vm.run(untrustedCodeExample);

const result = await fn('Some input data');
// => `some-input-data`

As far as I understand it, vm2 will block of requiring native modules or other transitive dependencies when loading modules, but I'm not sure if npxImport circumvents those rules 🤔

---

Totally understand if this is not the right forum to discuss this, and obv no hard feelings if you end up closing it immediately. Thank you for all the great OSS work you've done so far ❤️