Evaluating JavaScript in the browser for a low code product (opens in new tab)

(blog.appsmith.com)

19 pointsarey_abhishek5y ago11 comments

11 comments

11 comments · 6 top-level

tonyhb5y ago· 4 in thread

Fairly certain you don't want to be throwing `eval` in your code.

I'm also building a workflow engine on the side, but don't want to see you run into security issues :)

Look into the realms TC39 proposal, the SES TC39 proposal, or running (no joke) a lightweight ES6 environment in webassembly to eval your code.

https://github.com/tc39/proposal-realms/#ecmascript-spec-pro...

https://github.com/tc39/proposal-ses

https://github.com/justjake/quickjs-emscripten

flowerlad5y ago

> you don't want to be throwing `eval` in your code

Unless you have generated the JS code yourself, in which case it is safe.

What kind of perf are you getting with QuickJS? If you have to evaluate an expression 10,000 times is QuickJS at least half as quick as eval?

tonyhb5y ago

True. Though I'd err on the side of caution in case someone in the team makes a PR to enable templating or user data somewhere that uses this code under the hood. Currently working in healthcare, so it's safest to work under the assumption of "don't introduce anything unsafe if possible, even if we know data is sanitized by us". Just in case one day that data is _not_ supplied by us.

RE. perf, I initially used Realms and it was fine. Right now I'm using wasm for templating and cuelang parsing - the speed is _good enough_ for the current UI, though I haven't really done strict performance testing yet, being honest :(

hetunandu5y ago

Author here. We have experimented with Realms in the past and had a working version for some time. Also did some POC with quickjs. In both scenarios, we saw performance degrade a lot.. So our current eval is run actually in the web worker so we take extra precautions to avoid leaking any problem some browser api inside the eval context. I like the idea of having a wasm eval environment as well, will experiment with that soon. Thanks for the tips :)

schwartzworld5y ago

What's the downside of calling eval in the client?

4lejandrito5y ago· 1 in thread

Nice work!

This reminded me to a series of posts by Figma in which they described how their JS plugin system works [1].

I remember there were plenty of security reasons why eval was not the best way to go. I wonder if you guys took this into account?

[1] https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...

hetunandu5y ago

Nice article. It was one of the inspirations of the first version of the evaluation workflow. We actually have eval running in global context always with just a select items being injected inside eval to ensure security. Also this happens inside a web worker so the scope of global actions a malicious script can take reduces drastically

ficklepickle5y ago

I love the idea of web workers. I struggle to find a use case that isn't limited by serialization/deserialization.

AFAIK, workers are strings in and strings out. Often serialization is the most expensive operation, so adding additional serialization/deserialization steps can decrease performance overall.

The only use case I can imagine that would really benefit is computation-heavy with minimal input/output.

Until there is safe shared memory (please correct me if I'm wrong) I don't see many compelling use cases for web workers.

zubairq5y ago

Nice to read. I wrote a JS evaluator for a low code product and the whole thing feels quite natural to use JS as the scripting language for a low code product. Well done!

bergie5y ago

JavaScript in browser can be a nice sandbox for untrusted or semi-trusted code. We used that for a sort of AWS Lambda like thing some years ago

https://github.com/flowhub/jsjob

Edmond5y ago

looks nice, similar to retool.

j / k navigate · click thread line to collapse

11 comments

11 comments · 6 top-level

tonyhb5y ago· 4 in thread

Fairly certain you don't want to be throwing `eval` in your code.

I'm also building a workflow engine on the side, but don't want to see you run into security issues :)

Look into the realms TC39 proposal, the SES TC39 proposal, or running (no joke) a lightweight ES6 environment in webassembly to eval your code.

https://github.com/tc39/proposal-realms/#ecmascript-spec-pro...

https://github.com/tc39/proposal-ses

https://github.com/justjake/quickjs-emscripten

flowerlad5y ago

> you don't want to be throwing `eval` in your code

Unless you have generated the JS code yourself, in which case it is safe.

What kind of perf are you getting with QuickJS? If you have to evaluate an expression 10,000 times is QuickJS at least half as quick as eval?

tonyhb5y ago

hetunandu5y ago

schwartzworld5y ago

What's the downside of calling eval in the client?

4lejandrito5y ago· 1 in thread

Nice work!

This reminded me to a series of posts by Figma in which they described how their JS plugin system works [1].

I remember there were plenty of security reasons why eval was not the best way to go. I wonder if you guys took this into account?

[1] https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...

hetunandu5y ago

ficklepickle5y ago

I love the idea of web workers. I struggle to find a use case that isn't limited by serialization/deserialization.

AFAIK, workers are strings in and strings out. Often serialization is the most expensive operation, so adding additional serialization/deserialization steps can decrease performance overall.

The only use case I can imagine that would really benefit is computation-heavy with minimal input/output.

Until there is safe shared memory (please correct me if I'm wrong) I don't see many compelling use cases for web workers.

zubairq5y ago

Nice to read. I wrote a JS evaluator for a low code product and the whole thing feels quite natural to use JS as the scripting language for a low code product. Well done!

bergie5y ago

JavaScript in browser can be a nice sandbox for untrusted or semi-trusted code. We used that for a sort of AWS Lambda like thing some years ago

https://github.com/flowhub/jsjob

Edmond5y ago

looks nice, similar to retool.

j / k navigate · click thread line to collapse