You have raised an important concern. Years ago the java front end inspired the idea of a J sandbox that worked nicely. It is probably much better to work on something new that digging through that old stuff.
I think you are on the right track. We won't incorporate anything in the short term (we'll wait at least until 805 is official and widely adopted). But when the time is right, we'll see that work in this area is incorporated into the product. An important question is what is the goal. It the goal is to prevent inadvertent or casual bad things from happening, then simpler mechanisms work. Trying to prevent a smart, malicious attack is another ballgame. Two areas that I don't see covered in your current proposal are ". =. and =: and other things, which if allowed can pretty much do anything. On Fri, Nov 11, 2016 at 6:00 PM, Joe Bogner <[email protected]> wrote: > Here's a proof of concept with OKDO. It's not that bad specifying the OKDO > list > > > In a config... (you could also do OKDO=: ... in config ) > > OKDO_jhs_ =: , ,&'_jquerydemo_' each ;: names_jquerydemo_ 3 > OKDO_jhs_ =: OKDO_jhs_ , (<'jev_get_jfilesrc_') NB. needed for external > files > OKDO_jhs_ =: OKDO_jhs_ , (<'jev_jquerydemo_') NB. needed for posts > > > jhscfg=: 3 : 0 > .. > if. _1=nc<'OKDO' do. OKDO=: '' end. NB. verbs allowed without login > ... > ) > > > main changes: > > NB. J needs input - y is prompt - '' ' ' ' ' > input=: 3 : 0 > logapp 'jhs input prompt: ',":#y > > try. > if. _1~:SKSERVER do. try. ".'urlresponse_',URL,'_ y' catch. end. end. NB. > jijx > if. _1~:SKSERVER do. jbad'' end. > getdata'' NB. get and parse http request > > checkAuth =. (0~:#PASS)*.(1~:+/cookie E. > gethv'Cookie:')*.-.LHOK*.PEER-:LOCALHOST > > if. 1=NVDEBUG do. smoutput seebox NV end. NB. HNV,NV > if. (-.(<URL)e.boxopen OKURL)*.checkAuth > do. r=. 'jev_get_jlogin_ 0' > elseif. 1=RAW do. r=. 'jev_post_raw_',URL,'_''''' > elseif. 'post'-:METHOD do. r=. getv'jdo' > elseif. '.'e.URL do. r=. 'jev_get_jfilesrc_ URL_jhs_' > elseif. 1 do. r=. 'jev_get_',URL,'_''''' > end. > logapp 'jhs sentence: ',r > if. JZWSPU8-:3{.r do. r=. 3}.r end. NB. empty prompt kludge > rparts =. ;: r > > NB. check to see if OKDO is specified, > NB. if so then the sentence must exist in the list and only two words > can be specified > if. checkAuth *. (#OKDO) *. ((-.((0{rparts) e. OKDO)) +. (# rparts) > 2) > do. > r=. 'jev_get_jlogin_ 0' > logappx 'not auth', (0{:: rparts) > end. > > r > > catch. > logappx 'input error' > exit'' NB. 2!:55[11 crashes > end. > ) > > > > > On Thu, Nov 10, 2016 at 3:14 PM, Joe Bogner <[email protected]> wrote: > > I am working with a JHS app and trying to secure it so only approved J > > expressions can run. Does JHS offer that capability? > > > > I can use OKURL to lock down the URL > > > > Example: > > > > OKURL_jhs_ =: 'jdemo1';' > > > > However, I can still send arbitrary J expressions to be evaluated > > > > For example, I can run a bookmarklet to include jquery on the page (or > > just use XmlHttpRequest directly) > > > > I can send expressions easily from the javascript console > > > > I can cause the process to exit > > > > $.post("/jdemo1", { jdo:"exit''"}, function(resp) { console.log(resp) }) > > > > Or I can reset the username/password for jijx > > > > $.post("/jdemo1", { jdo:"PASS_jhs_ =: 'abc' [ USER_jhs_=:'abc'"}, > > function(resp) { console.log(resp) }) > > > > > > I am thinking something needs to be added to input in core.ijs to > either: > > > > a. check against a list of expressions in OKDO .... which would be > > tedious to specify every action or > > > > b. to only allow expressions that match a verb in the app locale. > > Would that close up this security hole? > > > > For example, to turn on the flag would only allow these verbs to run > > -- input would return an error if the jdo did not match one of these > > verbs > > > > '' names_jdemo1_ 3 > > create ev_roll_click jev_get > > > > > > Regardless of the solution OKURL has a serious security hole > > considering the username/password can be reset from a simple page. > > > > Thoughts? > > > > > > core.ijs: > > > > > > NB. J needs input - y is prompt - '' ' ' ' ' > > input=: 3 : 0 > > logapp 'jhs input prompt: ',":#y > > try. > > if. _1~:SKSERVER do. try. ".'urlresponse_',URL,'_ y' catch. end. end. > NB. jijx > > if. _1~:SKSERVER do. jbad'' end. > > getdata'' NB. get and parse http request > > if. 1=NVDEBUG do. smoutput seebox NV end. NB. HNV,NV > > if. (-.(<URL)e.boxopen OKURL)*.(0~:#PASS)*.(1~:+/cookie E. > > gethv'Cookie:')*.-.LHOK*.PEER-:LOCALHOST > > do. r=. 'jev_get_jlogin_ 0' > > elseif. 1=RAW do. r=. 'jev_post_raw_',URL,'_''''' > > elseif. 'post'-:METHOD do. r=. getv'jdo' > > elseif. '.'e.URL do. r=. 'jev_get_jfilesrc_ URL_jhs_' > > elseif. 1 do. r=. 'jev_get_',URL,'_''''' > > end. > > logapp 'jhs sentence: ',r > > if. JZWSPU8-:3{.r do. r=. 3}.r end. NB. empty prompt kludge > > r NB. J sentence to run > > > > catch. > > logappx 'input error' > > exit'' NB. 2!:55[11 crashes > > end. > > ) > ---------------------------------------------------------------------- > For information about J forums see http://www.jsoftware.com/forums.htm > ---------------------------------------------------------------------- For information about J forums see http://www.jsoftware.com/forums.htm
