Here's a proof of concept with OKDO. It's not that bad specifying the OKDO list
In a config... (you could also do OKDO=: ... in config )
OKDO_jhs_ =: , ,&'_jquerydemo_' each ;: names_jquerydemo_ 3
OKDO_jhs_ =: OKDO_jhs_ , (<'jev_get_jfilesrc_') NB. needed for external files
OKDO_jhs_ =: OKDO_jhs_ , (<'jev_jquerydemo_') NB. needed for posts
jhscfg=: 3 : 0
..
if. _1=nc<'OKDO' do. OKDO=: '' end. NB. verbs allowed without login
...
)
main changes:
NB. J needs input - y is prompt - '' ' ' ' '
input=: 3 : 0
logapp 'jhs input prompt: ',":#y
try.
if. _1~:SKSERVER do. try. ".'urlresponse_',URL,'_ y' catch. end. end. NB. jijx
if. _1~:SKSERVER do. jbad'' end.
getdata'' NB. get and parse http request
checkAuth =. (0~:#PASS)*.(1~:+/cookie E.
gethv'Cookie:')*.-.LHOK*.PEER-:LOCALHOST
if. 1=NVDEBUG do. smoutput seebox NV end. NB. HNV,NV
if. (-.(<URL)e.boxopen OKURL)*.checkAuth
do. r=. 'jev_get_jlogin_ 0'
elseif. 1=RAW do. r=. 'jev_post_raw_',URL,'_'''''
elseif. 'post'-:METHOD do. r=. getv'jdo'
elseif. '.'e.URL do. r=. 'jev_get_jfilesrc_ URL_jhs_'
elseif. 1 do. r=. 'jev_get_',URL,'_'''''
end.
logapp 'jhs sentence: ',r
if. JZWSPU8-:3{.r do. r=. 3}.r end. NB. empty prompt kludge
rparts =. ;: r
NB. check to see if OKDO is specified,
NB. if so then the sentence must exist in the list and only two words
can be specified
if. checkAuth *. (#OKDO) *. ((-.((0{rparts) e. OKDO)) +. (# rparts) > 2)
do.
r=. 'jev_get_jlogin_ 0'
logappx 'not auth', (0{:: rparts)
end.
r
catch.
logappx 'input error'
exit'' NB. 2!:55[11 crashes
end.
)
On Thu, Nov 10, 2016 at 3:14 PM, Joe Bogner <[email protected]> wrote:
> I am working with a JHS app and trying to secure it so only approved J
> expressions can run. Does JHS offer that capability?
>
> I can use OKURL to lock down the URL
>
> Example:
>
> OKURL_jhs_ =: 'jdemo1';'
>
> However, I can still send arbitrary J expressions to be evaluated
>
> For example, I can run a bookmarklet to include jquery on the page (or
> just use XmlHttpRequest directly)
>
> I can send expressions easily from the javascript console
>
> I can cause the process to exit
>
> $.post("/jdemo1", { jdo:"exit''"}, function(resp) { console.log(resp) })
>
> Or I can reset the username/password for jijx
>
> $.post("/jdemo1", { jdo:"PASS_jhs_ =: 'abc' [ USER_jhs_=:'abc'"},
> function(resp) { console.log(resp) })
>
>
> I am thinking something needs to be added to input in core.ijs to either:
>
> a. check against a list of expressions in OKDO .... which would be
> tedious to specify every action or
>
> b. to only allow expressions that match a verb in the app locale.
> Would that close up this security hole?
>
> For example, to turn on the flag would only allow these verbs to run
> -- input would return an error if the jdo did not match one of these
> verbs
>
> '' names_jdemo1_ 3
> create ev_roll_click jev_get
>
>
> Regardless of the solution OKURL has a serious security hole
> considering the username/password can be reset from a simple page.
>
> Thoughts?
>
>
> core.ijs:
>
>
> NB. J needs input - y is prompt - '' ' ' ' '
> input=: 3 : 0
> logapp 'jhs input prompt: ',":#y
> try.
> if. _1~:SKSERVER do. try. ".'urlresponse_',URL,'_ y' catch. end. end. NB. jijx
> if. _1~:SKSERVER do. jbad'' end.
> getdata'' NB. get and parse http request
> if. 1=NVDEBUG do. smoutput seebox NV end. NB. HNV,NV
> if. (-.(<URL)e.boxopen OKURL)*.(0~:#PASS)*.(1~:+/cookie E.
> gethv'Cookie:')*.-.LHOK*.PEER-:LOCALHOST
> do. r=. 'jev_get_jlogin_ 0'
> elseif. 1=RAW do. r=. 'jev_post_raw_',URL,'_'''''
> elseif. 'post'-:METHOD do. r=. getv'jdo'
> elseif. '.'e.URL do. r=. 'jev_get_jfilesrc_ URL_jhs_'
> elseif. 1 do. r=. 'jev_get_',URL,'_'''''
> end.
> logapp 'jhs sentence: ',r
> if. JZWSPU8-:3{.r do. r=. 3}.r end. NB. empty prompt kludge
> r NB. J sentence to run
>
> catch.
> logappx 'input error'
> exit'' NB. 2!:55[11 crashes
> end.
> )
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
