couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Smith <...@iriscouch.com>
Subject Re: Branch to switch from SpiderMonkey to Node.js
Date Thu, 31 Jan 2013 16:27:34 GMT
On Thu, Jan 31, 2013 at 3:39 PM, Jan Lehnardt <jan@apache.org> wrote:

>
> >> Can someone please specifically describe a "sandbox" feature? CouchJS
> >> passes the test suite. So what does the sandbox do?
> >>
> >
> > did it many time. See my other mail where I tried to summarise it again.
>
> Can you give me a link? I was rather busy with CouchDB Conf prep in the
> past weeks.
>

I have been collecting them as notes in the v8 ticket, COUCHDB-1643

Starts here:
https://issues.apache.org/jira/browse/COUCHDB-1643?focusedCommentId=13556131&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13556131

Obviously, I am mostly listing "non-features" which are impossible to test
for. However I still have some ideas. Like I said, if JavaScript runs and
there are not *exactly* the correct global variable names (and their types)
then maybe that should be a failing unit test.

Also, I am thinking of maybe doing something with library shimming, using
LD_PRELOAD or something. Or maybe something with dtrace. I would like to
log all i/o a process does, at the system call level or so. And then run
the entire CouchDB test suite. Then I can make sure that total i/o bytes
into and out of javascript === 0.

Maybe I can't defeat a motivated attacker, however a test like that might
detect if we inadvertently do something bad. Doesn't couchjs link about
libcurl. How sure are you that there is no way cURL could possibly ever
sneak into the public API?

-- 
Iris Couch

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message