Suggestion for how to make this module safer

[dmfenton]

I came across an interesting module in the Node stdlib called vm. Since alasql makes heavy use of evaluating strings as functions as I thought this may be something to look at.

https://nodejs.org/api/vm.html

It allows you to specify to explicitly specify the execution context for a given script. Therefore you can disable things like requiring external modules, the filesystem api, etc

const vm = require('vm')
vm.runInContext('require("foo")', {})
ReferenceError: require is not defined

[mathiasrw]

So you would use vm to run the string constructed functions?

It would be interesting to see if there is a performance gain or loss from this.

On another note: would also be usefull to run alasql as a whole in a vm

[dmfenton]

I agree the performance trade off would be worth measuring. I don't think you could run all of alasql inside a vm without disabling user defined functions. User defined functions in general are the tricky part I think.

[mathiasrw]

Do you know if vm can run within a vm?

[dmfenton]

> vm.runInContext(vm.runInContext('2*2', vm.createContext()), vm.createContext({vm}))
4