Current Status. I am investigating two approaches using the knex.js library: https://knexjs.org
Knex.js is a fantastic query builder library that allows you to build SQL queries in a very declarative manner.
h3. Approach 1 - Allow users to use the query builder inside a sandboxed environment using knex and vm2 https://www.npmjs.com/package/vm2
This approach would allow users to write some minimal amount of javascript that would be executed in a very tightly controlled sandbox environment where only the query builder object and any query/mutation arguments would be passed into the sandbox environment. It would not be possible to require() other libraries for example. Take a look at some of the syntax to get an idea of what a user could do:
{code}
knex.select('title', 'author', 'year').from('books')
Outputs:
select `title`, `author`, `year` from `books`
{code}
{code}
knex('users').where('id', 1).orWhere({votes: 100, user: 'knex'})
Outputs:
select * from `users` where `id` = 1 or (`votes` = 100 and `user` = 'knex')
{code}
With this approach it would be possible to execute several queries against the database and even perform some limited amount of business logic.
Take a look at this gist that shows how we could use knex and vm2 together: https://gist.github.com/darahayes/fd3c18bd4b57fdbeaf947fb6d78e5485
Take a look at this blog post to understand more about vm2 https://odino.org/eval-no-more-understanding-vm-vm2-nodejs/ |
|
