Open discussion about VM module

[UlisesGascon]

Hi all!

I want to start an open discussion about VM as agreed in the last meeting (#810 ).

We already know that VM can't be considered a security mechanism.

The node:vm module is not a security mechanism. Do not use it to run untrusted code.
Node.js official documentation

But there is an intense misunderstanding around this in the community. In this discussion, we want to achieve some solid arguments that can clarify why we can't consider VM a security mechanism.

[mcollina]

Due to the issue's sensitivity, I can provide some examples of why we can not do so privately.

On top of technical issues, there is also a people problem: very few people are capable and willing to volunteer to run triage & fix these kinds of issues.

[matt-]

There are a few public examples escapes like this https://gist.github.com/domenic/d15dfd8f06ae5d1109b0 (7 year old) that is referenced in other sandbox projects like VM2.

[naugtur]

By looking at what SES does, it's easy to estimate how much work is needed to provide a secure environment on top of context isolation

https://github.com/endojs/endo/tree/master/packages/ses

What do we want to achieve here? Explain definitely how using VM for security is a lost cause?
How about we point them at SES/Endo ? Especially once Endo is closer to done 😅

[RafaelGSS]

What do we want to achieve here? Explain definitely how using VM for security is a lost cause?
How about we point them at SES/Endo ? Especially once Endo is closer to done

The idea is to clarify in the threat document that vm shouldn't be used as a security mechanism. It sounds a bit weird to say just: don't consider vm as a security mechanism.

Once it creates a new V8 Context, and I see people arguing that it can avoid prototype pollution.

const vm = require('node:vm');

vm.createContext(context);
const code = 'String.prototype.toString = function () { return "tamper" }';
vm.runInContext(code, context);

console.log('X'.toString()) // X

I mean, we just need to make that statement clear/strong with a few examples.

[UlisesGascon]

I found this article as a great and clear demonstration:

1. DoS Attack:

Remember the VM will run the js code in new V8 Virtual Machine context but in the same process and the same event loop

const vm = require('vm');
const code = 'while(true){}';
vm.runInNewContext(code,{});
console.log('Never gets executed.')

2. Escaping the Sandbox (this.constructor.constructor)

const vm = require('vm');
code = 'var x = this.constructor.constructor("return this")()';
let context = {y : 1}
vm.runInNewContext(code,context);
console.log(context.x); 

BTW.. I found a very good discussion about VM in this issue too

[RafaelGSS]

All the suggestions made in the WG Meeting will be applied in the Threat Model document. Thanks everybody