Gathering detailed insights and metrics for pitboss-ng
Gathering detailed insights and metrics for pitboss-ng
Run dubious code in NodeJS 0.10+ or iojs. With built-in memory and timeouts management
Installations
npm install pitboss-ngDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>= 8.10
Node Version
12.20.1
NPM Version
6.14.10
Releases
Unable to fetch releases
Languages
1
JavaScript
JavaScript (100%)
Developer
apiaryio
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
7 Stars
86 Commits
1 Forks
13 Watchers
2 Branches
2 Contributors
Updated on Nov 08, 2024
Maintainers
3
Package Meta Information
Latest Version
2.0.1
Package Id
pitboss-ng@2.0.1
Unpacked Size
33.23 kB
Size
8.93 kB
File Count
12
NPM Version
6.14.10
Node Version
12.20.1
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Pitboss-NG (next gen)
A module for running untrusted code
1var Pitboss = require('pitboss-ng').Pitboss; 2 3var untrustedCode = "var a = !true;\n a"; 4 5var sandbox = new Pitboss(untrustedCode, { 6 memoryLimit: 32*1024, // 32 MB memory limit (default is 64 MB) 7 timeout: 5*1000, // 5000 ms to perform tasks or die (default is 500 ms = 0.5 s) 8 heartBeatTick: 100 // interval between memory-limit checks (default is 100 ms) 9}); 10 11sandbox.run({ 12 context: { // context is an object of variables/values accessible by the untrusted code 13 'foo': 'bar', // context must be JSON.stringify positive 14 'key': 'value' // = no RegExp, Date, circular references, Buffer or more crazy things 15 }, 16 libraries: { 17 myModule: path.join(__dirname, './my/own/module'), 18 // will be available as global "myModule" variable for the untrusted code 19 'crypto': 'crypto', // you can also require system/installed packages 20 '_': 'underscore' // require underscore the traditional way 21 } 22}, function callback (err, result) { 23 // result is synchronous "return" of the last line in your untrusted code, here "a = !true", so false 24 console.log('Result is:', result); // prints "Result is: false" 25 sandbox.kill(); // don't forget to kill the sandbox, if you don't need it anymore 26}); 27 28// OR other option: libraries can be an array of system modules 29sandbox.run({ 30 context: {}, // no data-variables are passed to context 31 libraries: ['console', 'lodash'] // we will be using global "lodash" & "console" 32}, function callback (err, result) { 33 // finished, kill the sandboxed process 34 sandbox.kill(); 35});
Runs JS code and returns the last eval'd statement
1var assert = require('chai').assert; 2var Pitboss = require('pitboss-ng').Pitboss; 3 4var code = "num = num % 5;\nnum;" 5 6var sandbox = new Pitboss(code); 7 8sandbox.run({context: {'num': 23}}, function (err, result) { 9 assert.equal(3, result); 10 sandbox.kill(); // sandbox is not needed anymore, so kill the sandboxed process 11});
Allows you to pass you own libraries into sandboxed content
1var assert = require('chai').assert; 2var Pitboss = require('pitboss-ng').Pitboss; 3 4var code = "num = num % 5;\n console.log('from sandbox: ' + num);\n num;" 5 6var sandbox = new Pitboss(code); 7 8sandbox.run({context: {'num': 23}, libraries: ['console']}, function (err, result) { 9 // will print "from sandbox: 5" 10 assert.equal(3, result); 11 sandbox.kill(); // sandbox is not needed anymore, so end it 12});
Handles processes that take too damn long
1var assert = require('chai').assert; 2var Pitboss = require('pitboss-ng').Pitboss; 3 4var code = "while(true) { num % 3 };"; 5 6var sandbox = new Pitboss(code, {timeout: 2000}); 7sandbox.run({context: {'num': 23}}, function (err, result) { 8 assert.equal("Timedout", err); 9 sandbox.kill(); 10});
Doesn't choke under pressure (or shitty code)
1var assert = require('chai').assert; 2var Pitboss = require('pitboss-ng').Pitboss; 3 4var code = "Not a JavaScript at all!"; 5 6var sandbox = new Pitboss(code, {timeout: 2000}); 7 8sandbox.run({context: {num: 23}}, function (err, result) { 9 assert.include(err, "VM Syntax Error"); 10 assert.include(err, "Unexpected identifier"); 11 sandbox.kill(); 12});
Doesn't handle this! But 'ulimit' or 'pidusage' does!
1var assert = require('chai').assert; 2var Pitboss = require('pitboss-ng').Pitboss; 3 4var code = "var str = ''; while (true) { str = str + 'Memory is a finite resource!'; }"; 5 6var sandbox = new Pitboss(code, {timeout: 10000}); 7 8sandbox.run({context: {num: 23}}, function (err, result) { 9 assert.equal("Process failed", err); 10 sandbox.kill(); 11});
And since Pitboss-NG forks each process, ulimit kills only the runner
Critical
0/10
Summary
Sandbox Breakout / Arbitrary Code Execution in pitboss-ng
Affected Versions
< 2.0.0
Patched Versions
2.0.0
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
Found 4/20 approved changesets -- score normalized to 2
Reason
project is archived
Details
- Warn: Repository is archived.
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
license file not detected
Details
- Warn: project does not have a license file
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 15 are checked with a SAST tool
Score
2.9
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More