[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] JSReg: Javascript based RegExp sandbox

From: Terri Oda <terri@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] JSReg: Javascript based RegExp sandbox
Date: Fri, 03 Jul 2009 16:52:34 -0400

I've been talking with some colleagues about doing something similar using those JS closures, but it'd be even easier if I could just use what you've got as a starting place, so.. Thank you! I look forwards to poking around with it.

Have you taken a look at Microsoft's Web Sandbox?

http://websandbox.livelabs.com/

It sounds superficially similar, but I haven't looked at it deeply yet.

 Terri

gaz Heyes wrote:

Hi all
Over the last few months I've been developing and rewriting (a lot) JSReg but now hopefully I'm finally getting somewhere. The goal was to produce a sandboxed version of Javascript within Javascript itself because I need a sandbox for some projects I'm working on and I don't want the overhead of another language.

My sandbox works with prefixes and suffixes so "x" becomes "$x$" and any reference to objects becomes $obj[$+'yourref'+$]. In addition I only allow certain functions/properties based on a whitelist (so stuff like constructor isn't supported). I also create safe functions which run some checks to prevent window leakage, for example take (1,[].sort)().alert(1) here we leak to window. I protect against this sort of attack by whitelisting native functions to disallow no or null arguments with the option to override per function (then an additional check is performed on the object).

JSReg contains a special object called "globals", I use this to rewrite your javascript code so for example 'test' becomes globals.string('test') this produces a special prototyped version of the string which can be used later. Native functions are also supported this way by calling their name e.g. globals.alert(1)

So how does the code look once it's been JSReg'd well here is a code sample:- function x(){ var m=1; this.getM=function(){ return m; } }; y=new x; y.getM()

Which gets rewritten to:- function $x$(){ var $m$=globals.number(1);this.$getM$=function(){ return $m$; } };$y$=new $x$;$y$.$getM$()

As you may have noticed I allow "this" to be used in this way but I will disallow assignment or return the value of "this", I may improve this in future once I'm certain that it is safe to use. At the moment I allow JSReg globals to be overwritten but I might prevent this at the regexp level or with setters and there are a few problems when not finishing a statement with a ";". Finally there's a limitation regarding the scope, at the moment the prefixes and suffixes are in the global scope so $x$ is actually window.$x$, I plan to get round this somehow so that $x$ is assigned to a object I'm still working that out.

Any comments or suggestions are of course welcome but specifically I'm looking for hacks to window or glaring errors in my RegExps. If you can hack JSReg so that it returns window please let me know

Once I'm confident that it is a secure sandbox, I shall release it as open source. You can have a go here:- <http://www.businessinfo.co.uk/labs/jsreg/jsreg.html>
Cheers
Gareth

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] JSReg: Javascript based RegExp sandbox
  - From: gaz Heyes

Prev by Date: [WEB SECURITY] SOURCE Barcelona Speaker Line-Up
Next by Date: Re: [WEB SECURITY] Thoughts on Content Security Policy?
Previous by thread: [WEB SECURITY] SOURCE Barcelona Speaker Line-Up
Next by thread: Re: [WEB SECURITY] JSReg: Javascript based RegExp sandbox
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site