4 min read
•Question 60 of 62hardHow to run code in a sandbox with the VM module?
Executing JavaScript in isolated contexts.
What You'll Learn
- Running code in sandboxes
- Creating contexts
- Security considerations
Basic Usage
code.jsJavaScript
const vm = require('vm');
// Run code in current context
const result = vm.runInThisContext('1 + 1');
console.log(result); // 2
// Run with custom context
const context = { x: 10, y: 20 };
vm.createContext(context);
const code = 'x + y';
const result = vm.runInContext(code, context);
console.log(result); // 30Sandboxed Execution
code.jsJavaScript
const sandbox = {
console: console,
result: null
};
vm.createContext(sandbox);
const code = `
const add = (a, b) => a + b;
result = add(5, 3);
`;
vm.runInContext(code, sandbox);
console.log(sandbox.result); // 8Script Compilation
code.jsJavaScript
// Compile once, run multiple times
const script = new vm.Script('x * 2');
const context1 = vm.createContext({ x: 10 });
const context2 = vm.createContext({ x: 20 });
console.log(script.runInContext(context1)); // 20
console.log(script.runInContext(context2)); // 40Timeout Protection
code.jsJavaScript
try {
vm.runInNewContext('while(true) {}', {}, { timeout: 1000 });
} catch (e) {
console.log('Script timed out');
}Security Warning
code.jsJavaScript
// VM is NOT a security sandbox!
// Malicious code can escape:
const code = `this.constructor.constructor('return process')().exit()`;
// Use isolated-vm or worker_threads for security