Skip to main content
All host capabilities are deny-by-default. Sandboxed code cannot access the filesystem, network, child processes, or environment variables unless you explicitly allow it.

Permission helpers

Quick presets for common configurations: 
import {
  createNodeDriver,
  allowAll,
  allowAllFs,
  allowAllNetwork,
  allowAllChildProcess,
  allowAllEnv,
} from "secure-exec";

// Allow everything
const driver = createNodeDriver({ permissions: allowAll });

// Allow only filesystem and network
const selective = createNodeDriver({
  permissions: {
    fs: allowAllFs,
    network: allowAllNetwork,
  },
});
ExportAllows
allowAllAll operations across all domains
allowAllFsAll filesystem reads and writes
allowAllNetworkAll network requests and DNS lookups
allowAllChildProcessAll child process spawning
allowAllEnvAll environment variable access

Function-based checks

Each permission field accepts a boolean or a function that inspects the request: 
const driver = createNodeDriver({
  permissions: {
    // Allow reads, block writes
    fs: (req) => req.operation === "read",

    // Block internal hosts
    network: (req) => !req.hostname.endsWith(".internal"),

    // Only allow specific commands
    childProcess: (req) => ["node", "python3"].includes(req.command),

    // Allow specific env vars
    env: (req) => ["PATH", "HOME"].includes(req.name),
  },
});

Permissions type

type Permissions = {
  fs?: PermissionCheck<FsAccessRequest>;
  network?: PermissionCheck<NetworkAccessRequest>;
  childProcess?: PermissionCheck<ChildProcessAccessRequest>;
  env?: PermissionCheck<EnvAccessRequest>;
};

// Each field accepts a boolean or async function
type PermissionCheck<T> = boolean | ((request: T) => boolean | Promise<boolean>);

Full example

import {
  NodeRuntime,
  createNodeDriver,
  createNodeRuntimeDriverFactory,
  allowAllFs,
} from "secure-exec";

const runtime = new NodeRuntime({
  systemDriver: createNodeDriver({
    useDefaultNetwork: true,
    permissions: {
      fs: allowAllFs,
      network: (req) => req.hostname !== "localhost",
      childProcess: false,
    },
  }),
  runtimeDriverFactory: createNodeRuntimeDriverFactory(),
});

await runtime.exec(`
  const fs = require('fs');
  fs.writeFileSync('/tmp/test.txt', 'hello');   // allowed
  await fetch('https://example.com');            // allowed
  await fetch('http://localhost:8080');           // blocked
`);