[simonw]

Yeah that (and full QuickJS) running inside WebAssembly do appear to be my best options. Here's my experiment running that one in WASM: https://github.com/simonw/research/tree/main/mquickjs-sandbo...

[15155]

mquickjs shouldn't be escapable, in theory, given the memory model. I would do everything possible to avoid WASM, otherwise I'd just run V8.

[simonw]

Why avoid WASM?

[15155]

Because what's the point?

You're running JS (an 'interpreted', managed language) - it's already intentionally designed to be executed in a sandbox. Unless you provide hooks out to the host system, it can't do anything bad. With mquickjs, the untrusted code can't even overflow your heap or take too much execution time.

If you were running untrusted C or something, it would make more sense to add the WASM layer.

[simonw]

Mainly defence in depth.

I have enormous respect for Fabrice but mquickjs is only a few weeks old and I'm no way near skilled enough to audit his C code!

Running it in WASM feels a lot safer to me.

[15155]

At that point why not just run V8 isolates, if JS is your only guest?

[simonw]

I'm having trouble finding a library for running v8 isolates from Node.js or Python doesn't include a warning in the README not to use it to run untrusted code.