Calling the vm.run
family of functions with user supplied arguments can lead to an attacker gaining full control of the server.
Consider running such code in a separate sandbox and piping any output to a file instead.
const vm = require('vm');
app.post('/exec', (req, res) => {
const code = req.body.code;
vm.run(code)
});
const middleware = (req, res) => {
const code = req.body.code;
vm.runInThisContext(code);
};
app.post('/exec', middleware);
const middleware = (req, res) => {
const code = req.body.code;
// user provided code should always be run in containers
// `spawnContainer` is a dummy function for clarity sake.
spawnContainer(code);
};
app.post('/exec', middleware);