Allow end-user to upload and execute javascript on server side

1
votes

I'm studying javascript/nodeJS to develop ERP solution. I would like to allow ERP end-users to upload their own custom scripts, so they can interact with ERP scripts. Of course user scripts should implement pre-defined ERP API.

For example this is a feature offered by ODOO (open-ERP) using user custom scripts writen in python.

I would like to know if full javascript stack can do the trick: is it possible to import some uploaded js file at runtime in node.js, in order to execute them? Is there any issue with this approach?

1
javascriptnode.jserp
Pretty much you could just eval'd anything javascript related. Or use built-in node modules framework to exhibit required behavior and achieve a degree of self-containment - you can load any .js file as module. - weaknespase
It is definitely possible, with many possible approaches. However, it will be a HUGE security risk. Depending on your setup and level of trust for your users, it may be acceptable for you. - e-neko
@e-neko node.js contains context support for such cases. You can implement this feature safely. Look at VM module: nodejs.org/dist/latest-v6.x/docs/api/… - weaknespase
@VallyN but even if you sandbox its execution from the rest of the system it must still interact with the rest of the system. This could be through feeding it data it spits back or something but if you don't have anything like that, then you are just letting it sit quietly in the corner and burn CPU cycles not doing anything...at which point, you may as well not execute it at all. - VLAZ
@vlaz Endless loops, sheesh, how could i forget about them... - weaknespase

1 Answers

2
votes

I would suggest you to use workers. It will look something like this:

const cluster = require('cluster');

cluster.setupMaster({
    exec: 'fileUploadedByUser.js'
});

cluster.fork();

But I would highly recommend you to review all such files before executing them, or at least write some code to analyze them and find any system functions / variables usage.

Also you can use something like pidusage to track usage of CPU by those files (workers), and if it will reach the limit you set, just kill the process.