Execute JavaScript in a WebAssembly QuickJS Sandbox
QuickJS is a secure JavaScript execution tool in a WebAssembly sandbox. It includes security features, file system access, custom node modules, a fetch client, and a test runner. Find detailed documentation and examples in the repository. Users can seek further assistance for inquiries.
Read original article
QuickJS is a JavaScript execution tool that operates securely within a WebAssembly sandbox. It offers various features like security enhancements, file system mounting, custom node modules, a fetch client, and a test runner. Detailed documentation can be accessed at the provided link, along with practical examples available in the repository. For additional information or inquiries regarding QuickJS, users are encouraged to seek further assistance.
Related
What Happens When You Put a Database in the Browser?
WebAssembly (Wasm) enhances browser capabilities, enabling high-performance apps like DuckDB for ad-hoc queries and Python environments. DuckDB Wasm boosts performance in interfaces like lakeFS, Evidence, and Count. MotherDuck enables local querying, emphasizing efficient data processing.
Show HN: Synapse – TypeScript Toolchain for Cloud Apps
Synapse is a full-stack TypeScript toolchain with resource-driven programming, cloud-agnostic libraries, and fine-grained permissions. It includes a TypeScript compiler, fast package manager, and testing framework for local or AWS deployment. Installation instructions vary by OS. Leveraging TypeScript, esbuild, Node.js, Terraform, and AWS SDK. Detailed documentation on GitHub covers Custom Resources, Environments, Packages, and Tests, with a Quick Start guide available.
Apple Disables WebKit's JIT in Lockdown Mode, & BrowserEngineKit Is Restricted
Apple has disabled WebKit's JIT in Lockdown Mode for enhanced security, aligning with EU's DMA. BrowserEngineKit enables secure JIT compilation, balancing performance and safety, requiring authorized developers for alternative browser engines.
Denotational Semantics and a Fast Interpreter for jq (2023)
The paper introduces denotational semantics for the jq programming language, addressing the lack of a formal specification. A new interpreter, jaq, outperforms jq on benchmarks, submitted to OOPSLA 2023.
JavaScript Visualized – Event Loop, Web APIs, (Micro)Task Queue [video]
The event loop in JavaScript is crucial for managing asynchronous tasks efficiently. It includes the call stack, web APIs, task queue, and microtask queue, enabling non-blocking operations. For more details, feel free to inquire.
23 commentsDid you try running in the browser or with a bundler? I think accepting the variant name as a string you pass to import(variantName) dynamically may not play well with Webpack et al.
EDIT: SECURITY WARNING: this library exposes the ability for the guest (untrusted) code to `fetch` with the same cookies as the host `fetch` function. You must not run untrusted code if enabling `fetch`. Library should come with a big blinking warning about what is safe and unsafe to enable when running untrusted code. It’s not a “sandbox” if the sandboxed code can call arbitrary HTTP APIs authenticated as the host context!
The reason quickjs-emscripten is low-level and avoids magic is so I can confidently claim that the APIs it does provide are secure. I generally reject feature requests for magical serialization or easy network/filesystem access because that kind of code is a rich area for security mistakes. When you run untrusted code, you should carefully audit the sandbox itself, but also audit all the code you write to expose APIs to the sandbox.
In this case a comment from an other HN user asking about Fetch cookies tipped me off to the potential security issue.
More reading:
Figma blog posts on plugin sandbox security:
- https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...
- https://www.figma.com/blog/an-update-on-plugin-security/
Quickjs-emscripten README: https://github.com/justjake/quickjs-emscripten
Are there any ways to "sandbox" DOM access? I.e. give untrusted 3rd parties access to a DOM element in a predefined spot? AFAIK the only tech that allows for this is iframes, which are unfortunately heavy and slow. I'm writing an app that can host plugins, and unfortunately, I think giving plugins DOM access means they can now literally do literally _anything_.
From the API, I don't see if `createRuntime` allows you to define calls to the host environment (other than for `fetch`). This would be quite a useful feature, especially because you could use it to restrict communication with the outside world in a controlled way, without it being an all-or-nothing proposition.
Likewise, it doesn't seem to support the browser (at least, running a quick check with esm.sh). I think that that could be a useful feature too.
I'll run some tests as I'm curious what the overhead is in this case, but like I said, this sounds like a pretty solid approach.
[1] @exact-realty/lot
Also what happens if the code has infinite loops? Is there an ability to pause execution? That woukd be helpful
quickjs-emscripten is great, but it's API is deliberately very close to quickjs's C API. It can be quite difficult to use directly, and implementing support for loading libraries is non-trivial, especially if any of those libraries depend on certain nodejs or browser APIs.
Implementing support for `require()` is tricky, because it's a blocking API, so doing any async IO to fetch module code is not possible unless you either:
- Use the asyncifyed version of quickjs-emscripten(slower and more difficult to use) - Use blocking IO to load modules(not ideal). - Pre-load all module files into an in-memory filesystem(which is what is sounds like this lib is doing).
I haven't looked much into how the quickjs-emscripten-sync library works exactly, but automatic syncronization of host and guest functions, seems like it could be a big attack surface, and I worry that it might be possible to escape the sandbox with it somehow.
Related
What Happens When You Put a Database in the Browser?
WebAssembly (Wasm) enhances browser capabilities, enabling high-performance apps like DuckDB for ad-hoc queries and Python environments. DuckDB Wasm boosts performance in interfaces like lakeFS, Evidence, and Count. MotherDuck enables local querying, emphasizing efficient data processing.
Show HN: Synapse – TypeScript Toolchain for Cloud Apps
Synapse is a full-stack TypeScript toolchain with resource-driven programming, cloud-agnostic libraries, and fine-grained permissions. It includes a TypeScript compiler, fast package manager, and testing framework for local or AWS deployment. Installation instructions vary by OS. Leveraging TypeScript, esbuild, Node.js, Terraform, and AWS SDK. Detailed documentation on GitHub covers Custom Resources, Environments, Packages, and Tests, with a Quick Start guide available.
Apple Disables WebKit's JIT in Lockdown Mode, & BrowserEngineKit Is Restricted
Apple has disabled WebKit's JIT in Lockdown Mode for enhanced security, aligning with EU's DMA. BrowserEngineKit enables secure JIT compilation, balancing performance and safety, requiring authorized developers for alternative browser engines.
Denotational Semantics and a Fast Interpreter for jq (2023)
The paper introduces denotational semantics for the jq programming language, addressing the lack of a formal specification. A new interpreter, jaq, outperforms jq on benchmarks, submitted to OOPSLA 2023.
JavaScript Visualized – Event Loop, Web APIs, (Micro)Task Queue [video]
The event loop in JavaScript is crucial for managing asynchronous tasks efficiently. It includes the call stack, web APIs, task queue, and microtask queue, enabling non-blocking operations. For more details, feel free to inquire.