Comment by simonw
3 years ago
I was interested to see that this uses the DukPy wrapper around Duktape for the JavaScript interpreter: https://browser.engineering/scripts.html
This made me start digging into whether this was considered a "safe" way of executing untrusted JavaScript in a sandbox.
It's not completely clear to me if DukPy currently attempts safe evaluation - it's missing options for setting time or memory limits on executed code for example: https://github.com/amol-/dukpy
There's a QuickJS Python wrapper here which offers those limits: https://github.com/PetterS/quickjs
I'm pretty paranoid though any time it comes to security and dependencies written in C, so I'd love to see a Python wrapper around a JavaScript engine that has safe sandbox execution as a key goal plus an extensive track record to back it up!
If you want battle-hardened, I figure you can't do better than V8. Here's a Python wrapper that I've poked at a bit (it's not quite 100% feature-complete but it seems to essentially work): https://github.com/sqreen/PyMiniRacer
That looks really good - especially how they've managed to bundle a pre-compiled v8 into a 4MB Python wheel: https://blog.sqreen.com/embedding-javascript-into-python/
The time limit and memory limit support looks good too: https://github.com/sqreen/PyMiniRacer/blob/f7b9da0d4987ca7d1...
I don't see any specific claims on isolation/memory safety or safety in general on duktapes page. Both V8 and spider monkey actively fix new JS vulnerabilities, and V8 isolates are used in the wild to success. Cloudflare workers is an example.