I've had several readers ask me about patriksimek/vm2: recently, so I decided to write a comprehensive article about it.

Have questions? Feel free to ask in the comments section below.

正文

vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Important Security Disclaimer

Before using vm2, you should understand how it works and its limitations.

as your application. It does this through a complex network of

that intercept and mediate every interaction between the sandbox and the host environment.

JavaScript is an extraordinarily dynamic language. Objects can be accessed through prototype chains, constructors can be reached via error objects, symbols provide protocol hooks, and async execution creates timing windows. The sheer number of ways to traverse from one object to another in JavaScript makes building an airtight in-process sandbox extremely difficult.

Despite our best efforts, researchers and security professionals continuously discover new ways to escape the vm2 sandbox. We actively patch these vulnerabilities as they are reported, but the cat-and-mouse nature of in-process sandboxing means that:

New bypasses will likely be discovered in the future. for known vulnerabilities.

to benefit from the latest security fixes. Subscribe to security advisories and update promptly.

Defense in depth is essential when running untrusted code.

If you require stronger isolation guarantees, consider these alternatives that provide

Higher IPC overhead; data must be serialized Docker, gVisor, Firecracker

Cloud-based code execution (e.g., AWS Lambda, Cloudflare Workers)

You need tight integration with host objects and fast synchronous communication

The untrusted code comes from a relatively trusted source (e.g., internal tools, plugin systems with vetted authors)

You combine vm2 with other security layers (network isolation, filesystem restrictions, resource limits)

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

Due to length constraints, I'll wrap up here. More practical examples coming soon. Leave a comment if you have questions!

Reference: patriksimek/vm2: Advanced vm/sandbox for Node.js - GitHub