3 files changed, 45 insertions, 0 deletions

diff --git a/NOTICE b/NOTICE
index 6a41c6cfc..5c95dd2fa 100644
--- a/NOTICE
+++ b/NOTICE
@@ -189,3 +189,7 @@ This product also includes the following third-party components:
  * share/doc/src/templates/couchdb/domainindex.html
 
    Copyright 2007-2011 by the Sphinx team
+
+ * sandbox.js https://github.com/KlausTrainer/sandbox.js
+
+   (c) 2013 Klaus Trainer
diff --git a/license.skip b/license.skip
index d87cc6ce8..43520110d 100644
--- a/license.skip
+++ b/license.skip
@@ -110,6 +110,7 @@
 ^src/couchdb/priv/couchspawnkillable
 ^src/couchdb/priv/stat_descriptions.cfg
 ^src/couchjs-node/package.json
+^src/couchjs-node/sandbox.js
 ^src/couchjs-node/README.md
 ^src/erlang-oauth/.*
 ^src/couch_dbupdates
diff --git a/src/couchjs-node/sandbox.js b/src/couchjs-node/sandbox.js
new file mode 100644
index 000000000..cfdff18ae
--- /dev/null
+++ b/src/couchjs-node/sandbox.js
@@ -0,0 +1,40 @@
+// from https://github.com/KlausTrainer/sandbox.js
+exports.runInSandbox = function(src, ctx, whitelist) {
+  var vm = require('vm'),
+    sandbox;
+
+  if (ctx && ctx.require) {
+    whitelist = whitelist || [];
+    var insecureRequire = ctx.require,
+      module = require("module"),
+      oldModulePrototype = module.prototype;
+
+    var secureRequire = function(moduleName) {
+      if (whitelist.indexOf(moduleName) == -1) {
+        module.prototype = oldModulePrototype;
+        throw new Error("'" + moduleName + "' is not whitelisted");
+      } else {
+        var requiredModule = insecureRequire(moduleName);
+        module.prototype = oldModulePrototype;
+        return requiredModule;
+      }
+    };
+
+    module.prototype = {
+      require: secureRequire,
+      load: module.prototype.load,
+      _compile: module.prototype._compile
+    };
+
+    module._cache = {};
+
+    ctx.require = secureRequire;
+    sandbox = Object.freeze(vm.createContext(ctx));
+    ctx.require = insecureRequire;
+  } else {
+    sandbox = Object.freeze(vm.createContext(ctx || {}));
+  }
+
+  return vm.createScript('(function() {"use strict"; return ('
+                         + src + ')()}())').runInContext(sandbox);
+};