[Jprogramming] securing JHS to prevent malicious J expressions

Thu, 10 Nov 2016 12:15:14 -0800 

I am working with a JHS app and trying to secure it so only approved J
expressions can run. Does JHS offer that capability?

I can use OKURL to lock down the URL

Example:

OKURL_jhs_ =: 'jdemo1';'

However, I can still send arbitrary J expressions to be evaluated

For example, I can run a bookmarklet to include jquery on the page (or
just use XmlHttpRequest directly)

I can send expressions easily from the javascript console

I can cause the process to exit

$.post("/jdemo1", { jdo:"exit''"}, function(resp) { console.log(resp) })

Or I can reset the username/password for jijx

$.post("/jdemo1", { jdo:"PASS_jhs_ =: 'abc' [ USER_jhs_=:'abc'"},
function(resp) { console.log(resp) })


I am thinking something needs to be added to input in core.ijs  to either:

a.  check against a list of expressions in OKDO .... which would be
tedious to specify every action or

b.  to only allow expressions that match a verb in the app locale.
Would that close up this security hole?

For example, to turn on the flag would only allow these verbs to run
-- input would return an error if the jdo did not match one of these
verbs

   '' names_jdemo1_ 3
create        ev_roll_click jev_get


Regardless of the solution OKURL has a serious security hole
considering the username/password can be reset from a simple page.

Thoughts?


core.ijs:


NB. J needs input - y is prompt - '' '   ' '      '
input=: 3 : 0
logapp 'jhs input prompt: ',":#y
try.
if. _1~:SKSERVER do. try. ".'urlresponse_',URL,'_ y' catch. end. end. NB. jijx
if. _1~:SKSERVER do. jbad'' end.
getdata'' NB. get and parse http request
if. 1=NVDEBUG do. smoutput seebox NV end. NB. HNV,NV
if. (-.(<URL)e.boxopen OKURL)*.(0~:#PASS)*.(1~:+/cookie E.
gethv'Cookie:')*.-.LHOK*.PEER-:LOCALHOST
                       do. r=. 'jev_get_jlogin_ 0'
elseif. 1=RAW          do. r=. 'jev_post_raw_',URL,'_'''''
elseif. 'post'-:METHOD do. r=. getv'jdo'
elseif. '.'e.URL       do. r=. 'jev_get_jfilesrc_ URL_jhs_'
elseif. 1              do. r=. 'jev_get_',URL,'_'''''
end.
logapp 'jhs sentence: ',r
if. JZWSPU8-:3{.r do. r=. 3}.r end. NB. empty prompt kludge
r NB. J sentence to run

catch.
 logappx 'input error'
 exit'' NB. 2!:55[11 crashes
end.
)
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm

Reply via email to