I think I managed to create a piece of Javascript that I could use to run untrusted javascript securely in someone's browser. However, I think there's no such thing as secure untrusted javascript execution. Can the wizards around here tell me how they'd break this?// Checks whether the arg is a valid argument identifier
var filter = function (x) {
var any = "$a-zA-ZÀÈÌÒÙàèìòùÁÉÍÓÚÝáéíóúýÂÊÎÔÛâêîôûÃÑÕãñõÄËÏÖÜäëïöüçÇßOoÅåÆæÞþÐð";
var y = x.match("^[" + any + "][\\d" + any + "]*$");
return !!y;
}
// Creates a function that doesn't have access to the navigator/window/document
var safeFn = function (str) {
try {
// Check whether the code is syntaxically correct
new Function(str);
// Create a function that has everything forbidden as an argument
var str = "return (function(arg," + Object.getOwnPropertyNames(window).filter(filter).join() + "){ " + str + " ; })(arguments[0]);";
return new Function(str);
} catch (e) {
return e;
}
};
var x = safeFn("return arg + 1");
The only thing you can do is set the content of the "str" variable. How would you gain access to cookies/DOM/XMLHttpRequest?
Fuck off with your homework.
>>54766866
>Impossible task
>Homework
You haven't even taken the time to look at the problem at hand, retard.
>>54766738
>plz help me with muh homewo... huh... challenge
FUCK OFF
>>54766738
Usingnew Fonction()is terribly unsecure. But I have to admit that other that finding a path to the Window object by navigating through the prototype chain ofargumentsI don't see where there could be an exploit. What do you plan on doing with this ?
>>54766987
>What do you plan on doing with this ?
Navigating through the prototype chain of arguments to find a path to the Window object and submitting it to my professor as a homework solution.
>>54766987
I'm thinking about creating a website where you could code an AI for a game in live and have it fight other AIs. You could update the code in realtime and things like that. That's why I need to be able to execute untrusted code securely.
>>54766987
>finding a path to the Window object by navigating through the prototype chain of arguments
There's no path, though.
>>54767018
Check out vindinium.org. It's not "live coding" but it might give you a few ideas.
Also do take a look at https://alexnisnevich.github.io/untrusted/, it's all done un JavaScript and prevents the player from tampering too much with the game's internals.
>>54767119
I already knew of both untrusted and vindinium. Didn't think about looking at untrusted's code, though. Thanks.
>>54767119
Oh man, the validation of untrusted.js is shit. It checks for "forbidden" words and just prevents code from being run. Can't use that shit.
>>54766738
If not in strict mode you should be able to access window by doing:
(function(){return this})()
On mobile, so I can't check.
>>54767385
Nope - returns an anonymous function even without strict mode.
>>54767430
Like this:
safeFn("return (function(){return this})()")().alert(1)
>>54767686
Oh, well done. I'll keep on doing terrible hacks until I admit that I have to create my own interpreter, then.
Thanks !
>>54767713
A bit late, but strict mode plus binding the returned function to e.g. null would prevent it I think.
