UNPKG

@mariozechner/jailjs

Version:

Lightweight JavaScript interpreter for isolated execution. For plugins, user scripts, and browser extensions. Not for adversarial code - use SandboxJS or isolated-vm for that.

41 lines 1.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
/** * ⚠️ SECURITY TEST SUITE - READ THIS FIRST ⚠️ * * This test suite demonstrates KNOWN vulnerabilities and protections in JailJS. * It is NOT a comprehensive security test suite. * * PURPOSE: * - Show which attacks ARE prevented (constructor escapes, __proto__ access) * - Show which attacks are NOT prevented (prototype pollution) * - Document the security model for users * * WHAT THIS DOES NOT COVER: * - There are MANY undiscovered attack vectors * - New JavaScript features may introduce new escapes * - Timing attacks, side-channels, and other exotic vectors * - Attacks via provided globals (depends on what you pass in) * * SECURITY MODEL: * JailJS provides ISOLATION, not comprehensive sandboxing. * * ✅ PROTECTED AGAINST: * - Constructor chain escapes ([].constructor.constructor) * - __proto__ access * - Direct globalThis/window/self access * * ❌ NOT PROTECTED AGAINST: * - Prototype pollution (if you provide Array/Object) * - Mutation of provided globals * - Resource exhaustion (use maxOps) * - Many other attack vectors * * FOR UNTRUSTED/ADVERSARIAL CODE: * Use SandboxJS (https://github.com/nyariv/SandboxJS) or isolated environments * (Web Workers, separate processes, sandboxed iframes). * * FOR LLM-GENERATED CODE: * Layer JailJS inside sandboxed iframes with minimal API surface. * See LLM-SECURITY.md for detailed guidance. */ export {}; //# sourceMappingURL=security.test.d.ts.map