Assuming you get the script in advance and you have time before running it
(user submits it), I would go with the uglify approach. I would then right a
new script using vm and would run it using child_process. I would check if it
lasts longer than expected. If ok, then save it and run it later whenever you
want.
--
Diogo Resende
On Friday, January 18, 2013 at 19:15 , Bradley Meck wrote:
> Austin: won't go into great detail, but heres a fun little example:
>
> ```javascript
> function exploit() {
> console.log.constructor("process.exit(42)")();
> }
> var result = require('vm').runInNewContext([
> '"use strict";',
> '('+exploit.toString()+')()'
> ].join('\n'), {console:console});
> console.log('I SURVIVED THE STORM!'); // it wont
>
> ```
>
> Thats pretty trivial and then prototype injection attacks can occur if you
> pass in natives and eventually use say... JSON.stringify if you override
> .toJSON, .toString, .constructor, .valueOf, .__proto__, ...
> Then it gets worse when you do something like say... get a hold of a
> non-strict mode function from a different scope by having it construct lets
> say a continuation callback ...
> Even still... get a hold of some options object that feeds into a secure area
> and set the options to something insecure (at a future point in time with
> lets say Object.defineProperty).
> ...
> it goes on...
> ...
>
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to [email protected]
> (mailto:[email protected])
> To unsubscribe from this group, send email to
> [email protected]
> (mailto:[email protected])
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
