When using Node 8, the console is available for the sandboxed code

[honzajavorek]

The last example (test3) demonstrates that while in Node 6 the console is considered as not defined within the sandboxed code, in Node 8 it is suddenly available. Why is this happening?

const Pitboss = require('pitboss-ng').Pitboss;


// PRINTS: null 42
const test1 = new Pitboss('40 + 2', {
  memoryLimit: 32 * 1024,
  timeout: 5 * 1000,
  heartBeatTick: 100,
});
test1.run({
  context: {},
  libraries: {},
}, (err, result) => {
  console.log('test1:', err, result);
  test1.kill();
});


// PRINTS: VM Runtime Error: ReferenceError: gargamel is not defined undefined
const test2 = new Pitboss('gargamel.log("hello")', {
  memoryLimit: 32 * 1024,
  timeout: 5 * 1000,
  heartBeatTick: 100,
});
test2.run({
  context: {},
  libraries: {},
}, (err, result) => {
  console.log('test2:', err, result);
  test2.kill();
});


// PRINTS: (Node 6)
// VM Runtime Error: ReferenceError: console is not defined undefined
// PRINTS: (Node 8)
// null null
const test3 = new Pitboss('console.log("hello")', {
  memoryLimit: 32 * 1024,
  timeout: 5 * 1000,
  heartBeatTick: 100,
});
test3.run({
  context: {},
  libraries: {},
}, (err, result) => {
  console.log('test3:', err, result);
  test3.kill();
});

[honzajavorek]

Seems like specifically the console object has been added to the context of vm in Node 8: nodejs/node#14465 I don't think Pitboss can do anything about it.

[tu1ly]

@honzajavorek that is the reason why i've add
f0d7cac#diff-97e0be3c8955d96fb6fdc37429400d42R11

so you can pass it as param.

pitboss.run {libraries: { console: 'console'}}, (err, results) =>

[honzajavorek]

@tu1ly I have libraries defined as follows:

{
  ...
  libraries: {'_log': customObject}
  ...
}

According to my tests, that doesn't prevent console to be available in the VM. I had to do this in the beginning of the code being run inside the VM to disable it:

const code = `
// make console unavailable
try {
  // node >= 8
  console = undefined;
} catch (_exc) {
  // node < 8
  var console = undefined;
}
runSandboxedUserCode(); // the actual sandboxed code
`

[tu1ly]

@honzajavorek that doesn't prevent console to be available in the VM - no, that makes it available (in node < 8) :) - thought you want console to be available in node < 8

[honzajavorek]

Nope, I want it unavailable in node >= 8 😄