created_at2019-03-07 17:23:07.328658
updated_at2019-04-18 20:36:18.859348
descriptionAn HTTP service that uses the Duktape JavaScript engine to safely execute JavaScript in a sandboxed environment.
Jason Longshore (longshorej)




Crates.io Crates.io CircleCI


An HTTP service that uses the Duktape JavaScript engine to safely execute JavaScript in a sandboxed environment.

Getting Started

Start with Docker (AMD64/ARM)

Using Docker, start the service (be sure to replace <version> below):

docker run -e JSAAS_BIND_ADDR= -p 9412:9412 --rm -ti titanclass/jsaas:<version>

You can find the latest version on DockerHub

Start with Cargo

If you have Rust, you can opt to use Cargo instead:

cargo install jsaas

Define and Execute

Now that the JSaaS service is running, define a program that adds two numbers:

curl -XPOST --data 'function(a, b) { return a + b; }' http://localhost:9412/scripts

which yields:


Next, execute the program by supplying the numbers:

curl -XPOST --data '[4, 5]' http://localhost:9412/scripts/af15791e-e9c1-4750-8a44-60222ef88c7c

which yields:


In a real-world scenario, you can also return a JS object or any other JSON-serializable value.

Execute Once

You can also supply a function to be evaluated in one request and immediately discarded.

curl -XPOST --data 'function() { return 8 * 2; }' http://localhost:9412/execute

which yields:



JSaaS is configured through environment variables. See the following table for a listing of variables:

Name Description
JSAAS_BIND_ADDR Declare the address to bind to. Default: ""
JSAAS_SCRIPT_DEFINITION_EXPIRATION_TIME If a script isn't executed in this duration (milliseconds), it is removed from the server. Default: "86400000"
JSAAS_SCRIPT_EXECUTION_THREAD_POOL_SIZE Number of workers to use for executing JavaScript. 0 signifies number of CPUs availablet. Default: "0"
JSAAS_SCRIPT_EXECUTION_COMPLETION_TIME Duration of time to wait for a script to finish executing before timing out. Default: "10000"
JSAAS_TLS_BIND_ADDR If specified, and TLS is configured, a separate port will be bound for TLS instead of using the default one.
JSAAS_TLS_PUBLIC_CERTIFICATE_PATH TLS public key path, PEM format. Note that TLS is currently only supported on Linux.
JSAAS_TLS_PRIVATE_KEY_PATH TLS private key path, PEM format. Note that TLS is currently only supported on Linux.


This project currently requires a POSIX-compliant operating system and bash, mostly due to its build setup. The first time that the project is compiled may take some time as the build downloads Duktape and configures it.

You'll need the following software:

  • cargo
  • curl
  • gcc
  • python2
  • python2-yaml
  • rustc

Once the environment is prepared, execute the following:

cargo build

A static binary can be produced:

cargo build --release --target=x86_64-unknown-linux-musl

A webserver can be started for development:

cargo run


0.5.0 - 2019-04-18

  • JSaaS is now published to DockerHub for both AMD64 and ARM architectures.

0.4.1 - 2019-03-29

  • Fix a bug in atob causing incorrect results for certain inputs.

0.4.0 - 2019-03-07

  • Use futures::sync::mpsc for better Tokio integration.
  • Rust 1.33.0.
  • First version published to Crates.io (in addition to DockerHub).

0.3.0 - 2019-02-20

  • Fix a bug causing a crash if invalid values are returned by supplied JS code.

  • Add atob, btoa implementations for Base64 support.

  • Use HTTP status 400 where appropriate.

  • Rust 1.32.0.

0.2.0 - 2019-02-04

  • Add an /execute route that can execute code without saving it.

0.1.0 - 2019-01-10

  • Initial release.


To release, push a tag that starts with "v" -- e.g. "v0.2.0" -- and CircleCI will build the project, push an image to DockerHub, and publish it on Crates.io.

(c)opyright 2019, Titan Class P/L

Commit count: 31

cargo fmt