Background
I'm building a Ruby on Rails application that allows a user to upload a custom JavaScript that will be executed on the server. This custom script is used to define a field on the API response. The following list describes the sequence of events.
- User sends HTTPS request to application API via POST
- API controller formulates JSON response
- User's Script is executed and the output is saved as a field on the JSON response
- API response is sent
The method below is used for script execution. script_body contains the user's custom JavaScript and is saved in the DB as a text field on an object that belongs to the User.
def run_script
begin
Timeout::timeout(2) { script_output = ExecJS.exec(script_body).to_s }
rescue => e
logger.info "Script failed: #{e.message}"
script_output = "(Script failed with the following error: #{e})"
end
end
Problem
I'm wondering how best to sandbox the execution of the JS script to mitigate security implications of executing user scripts on the server. I would like to know the recommended approach for:
- Ensuring that the JS script cannot access any files on the server
- Prevent the script from accessing the Rails application or DB
- Protect against any other malicious activity (I'm not an expert so please forgive the lack of detail)
- Maintain reasonable performance (needs to execute within an API call)
Additional Info
I have tried to find some examples of sandboxing JS execution within Ruby applications and haven't found much. I have looked at the following gem (https://github.com/tario/shikashi). However, this seems to be a sandbox for Ruby code only. I'm concerned that I would provide privileges for ExecJS.exec to execute and then the JS would be able to do whatever it wants. I'm not sure this would be the best approach.
Perhaps you can use ruby`s $SAFE levels