{"library":"ses","title":"SES: Hardened JavaScript for Secure Execution","description":"SES (Secure EcmaScript) is a JavaScript shim providing a hardened environment for robust security and fearless cooperation. It implements Hardened JavaScript, a subset of JavaScript proposed to ECMA TC39, designed to prevent prototype pollution and other common vulnerabilities. The current stable version, 2.0.0, focuses on plugging side-channel attacks and refining security guarantees. SES operates by 'locking down' the global environment, freezing intrinsic objects, and providing the `Compartment` constructor for creating isolated execution contexts. Each `Compartment` has its own global object and module system but shares hardened, immutable primordials with other compartments. This approach ensures that mutually suspicious code can interact safely via object-capability (ocap) principles, where powers are explicitly granted. The package maintains an active release cadence, with frequent updates across the broader `@endo` ecosystem. Key differentiators include its comprehensive protection against tampering with built-in objects, enforcement of strict mode, and its utility in sandboxing third-party code for applications like blockchain smart contracts and browser extensions, notably used by Agoric and MetaMask.","language":"javascript","status":"active","last_verified":"Sun Apr 19","install":{"commands":["npm install ses"],"cli":null},"imports":["import { lockdown } from 'ses';","import { Compartment } from 'ses';","import { harden } from 'ses';","import 'ses'; // Immediately hardens the global environment\nlockdown(); // Explicitly calls the global lockdown function"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import { lockdown, Compartment, harden } from 'ses';\n\n// Step 1: Lock down the global environment to prevent tampering.\n// This should be done as early as possible in your application's lifecycle.\nlockdown();\n\nconsole.log('Global environment locked down.');\n\n// Step 2: Create a new Compartment for secure execution of untrusted code.\n// Compartments are isolated and by default have no ambient authority (e.g., no `fetch`).\nconst untrustedCompartment = new Compartment({\n  globals: {\n    // Grant specific global capabilities to the compartment.\n    log: harden(console.log),\n    greet: harden((name: string) => `Hello, ${name} from compartment!\\n`),\n  },\n});\n\n// Step 3: Evaluate untrusted code within the compartment.\n// The code only has access to its explicit globals and hardened intrinsics.\nconst untrustedCode = `\n  try {\n    log(greet('World'));\n    // Attempting to access unauthorized globals will fail.\n    // console.error('This should not be accessible.');\n    // new Function('return this')().alert('Attempted to access window!');\n    log('Attempting to modify Object.prototype...');\n    Object.prototype.evil = 'muahaha'; // This will fail due to lockdown\n  } catch (e: any) {\n    log('Caught expected error: ' + e.message);\n  }\n  const func = new Function('return 1 + 1;'); // This will throw after lockdown\n`;\n\ntry {\n  untrustedCompartment.evaluate(untrustedCode);\n} catch (e: any) {\n  console.error('Error evaluating untrusted code:', e.message);\n}\n\n// Verify global prototype pollution did not occur in the main realm\nif (Object.prototype.hasOwnProperty('evil')) {\n  console.error('Prototype pollution detected in main realm!');\n} else {\n  console.log('Main realm is still secure.');\n}","lang":"typescript","description":"Demonstrates locking down the global environment and securely executing untrusted TypeScript code within an isolated Compartment, explicitly granting limited capabilities like logging and a custom greeting function. It also shows how attempts at prototype pollution or unauthorized global access are prevented.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}