示例:在 VM 中运行 HTTP Server


在使用 script.runInThisContext() 或者 vm.runInThisContext() 时,目标代码是在当前的V8全局对象的上下文中执行的。被传入此虚拟机上下文的目标代码会有自己独立的作用域。

要想用 http 模块搭建一个简易的服务器,被传入的代码必须要么自己执行 require('http'),要么引用一个 http,比如:

'use strict';
const vm = require('vm');

const code = `
((require) => {
  const http = require('http');

  http.createServer((request, response) => {
    response.writeHead(200, { 'Content-Type': 'text/plain' });
    response.end('你好世界\\n');
  }).listen(8124);

  console.log('服务器运行在 http://127.0.0.1:8124/');
})`;

vm.runInThisContext(code)(require);

上述例子中的 require() 和导出它的上下文共享状态。这在运行未经认证的代码时可能会引入风险,比如在不理想的情况下修改上下文中的对象。

When using either script.runInThisContext() or vm.runInThisContext(), the code is executed within the current V8 global context. The code passed to this VM context will have its own isolated scope.

In order to run a simple web server using the http module the code passed to the context must either call require('http') on its own, or have a reference to the http module passed to it. For instance:

'use strict';
const vm = require('vm');

const code = `
((require) => {
  const http = require('http');

  http.createServer((request, response) => {
    response.writeHead(200, { 'Content-Type': 'text/plain' });
    response.end('Hello World\\n');
  }).listen(8124);

  console.log('Server running at http://127.0.0.1:8124/');
})`;

vm.runInThisContext(code)(require);

The require() in the above case shares the state with the context it is passed from. This may introduce risks when untrusted code is executed, e.g. altering objects in the context in unwanted ways.