i'm creating plugin system using following:
function plugin(thingy, code) { var global = null; var arguments = null; var process = null; var require = null; eval(code); }; plugins.push(new plugin(thingy, code)); please don't excited eval(), using ('vm') or sandbox not option long running object until user unloads it. running in it's own nodejs instance can't affect other users. i'd still have same problem passing in object reference sandbox system anyway.
what concerned seeing code of thingy object has functions need use e.g shoot()
console.log(thingy.shoot.tostring()); a way around following:
function thingy() { // can't see var _shoot = function(someone) { // load weapon // aim // fire }; // can see this.shoot = function(someone) { _shoot(someone); }; }; this way if console.log(thingy.shoot.tostring()) they'll see _shoot(someone); , not actual code handles shooting process.
please me following:
- is there easier way limit access passed in variables code?
- i'm setting global, arguments, process , require null; there others need worry about?
