How to disable NodeJs internal Modules?

Question

I am in the process of evaluating the use of NodeJs for a shared programming platform.

Users should be able to submit code and run it on the server. To give them the best fundamentals, several NodeJs Modules should be provided.

For security reasons the processes should be chrooted to forbid access to system resources.

The best approach seems to be the use of child_processes, especially the fork() function.

For further security also some NodeJs Modules should be disabled, like launching additional child processes.

How can I disable these modules for a child? I can't even seem to find compile options to disable some by default,

Answer 1

Basically, what you are looking for is running untrusted code within a trusted environment. The key here is sandboxing, I guess.

Please note that there are various solutions out there for creating and managing sandboxes in Node.js, among others:

• gf3/sandbox, which is A nifty javascript sandbox for node.js
• hflw/node-sandbox, which is an Advanced sandboxing library that allows communication between the sandbox and the parent process.

I do not have any practical experience with either of them, but I guess that's a step into the right direction for you. Maybe you would like to share your experiences with them here? I think this would be awesome :-)

Hope this helps.