couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Russell Branca (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-1894) Add experimental NodeJS query server
Date Thu, 26 Sep 2013 02:43:03 GMT


Russell Branca commented on COUCHDB-1894:

Jason, this is explicitly a decrease in security given this switches from SpiderMonkey, which
does not have File IO compiled in by default at all, to Node.js which has it built in. That
is a huge security concern and needs to be treated as such.

I've thought about the idea of a whitelist to require before, like Klaus and Jan are doing
in the new sandbox.js, but the problem I ran into with that approach is that I personally
can't prove that there isn't a way to get around that. I'm not saying it can't be done, I'm
saying I don't know how to do that.

It's the falsifiability problem. You can have the most exacting whitelist, but it doesn't
mean it's secure.

This is one of the reasons why I think we should have a node.js execution environment completely
isolated from CouchDB as a third party module, and have a simple and secure embedded implementation
built in.
> Add experimental NodeJS query server
> ------------------------------------
>                 Key: COUCHDB-1894
>                 URL:
>             Project: CouchDB
>          Issue Type: New Feature
>          Components: JavaScript View Server
>            Reporter: Jan Lehnardt
> Let’s clean up and merge Jason Smith’s Node.js query server into ASF land and ship
it as opt-in and experimental.
> I’ve prepared a branch that does the following:
>  - remove fancy extra features like app server handlers and the visual debugger support
for now
>  - make it a drop-in replacement for couchjs
>  - bundle the code in src/couchjs-node
>  - add a new query server language “nodejs” that people can use
>  - include sandbox.js from (not hooked up
> The query server is not installed by default and users can install them in two ways:
> 1. from source:
>     $ cd src/couchjs-node
>     $ npm link
> 2. from NPM:
>     $ npm install couchjs # add @1.x.x for once the module mirrors CouchDB version numbers
for forward compat)
> And then they can uncomment and update the [query_server] line in local.ini.
> * * *
> Open work items on the view server:
>  - make it work with CLI tests
>  - fix remaining test cases in web test runner
>  - hook up sandbox.js from

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message