Eric, thanks for the reply. I agree that is important to understand the goal. I don't think it's possible to completely secure anything that's connected to the internet. The goal is typically to make it impractical to attack. J has an advantage through its obscurity but I think more is needed if a JHS app will be available on the public internet.
J has good defaults of binding to localhost. I think the combination of USER, PASS and OKURL need some mention in the documentation or on startup that it's not meant for security. It acts more as a deterrent, akin to a "no trespassing" sign or a 4 foot fence. Back to the goal, applications and devices connected to the internet should make it reasonably difficult for their host machine to be compromised. This came to light recently with recent botnet DDoS attacks[1]. All sorts of bad things can happen when an application allows unfiltered remote code execution. The current proposal should cover ". =. and =: because it only allows input that's in a whitelist of statements. The whitelist would typically be only what's required to serve J pages (e.g. ev_get_jfilesrc_) and verbs defined in the application locale. It may have gaps still, which is why it's important to let others poke holes in it. Thanks again, Joe 1 - https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ On Sun, Nov 13, 2016 at 4:16 PM, Eric Iverson <[email protected]> wrote: > You have raised an important concern. Years ago the java front end inspired > the idea of a J sandbox that worked nicely. It is probably much better to > work on something new that digging through that old stuff. > > I think you are on the right track. We won't incorporate anything in the > short term (we'll wait at least until 805 is official and widely adopted). > But when the time is right, we'll see that work in this area is > incorporated into the product. > > An important question is what is the goal. It the goal is to prevent > inadvertent or casual bad things from happening, then simpler mechanisms > work. Trying to prevent a smart, malicious attack is another ballgame. Two > areas that I don't see covered in your current proposal are ". =. and =: > and other things, which if allowed can pretty much do anything. > > On Fri, Nov 11, 2016 at 6:00 PM, Joe Bogner <[email protected]> wrote: > >> Here's a proof of concept with OKDO. It's not that bad specifying the OKDO >> list >> >> >> In a config... (you could also do OKDO=: ... in config ) >> >> OKDO_jhs_ =: , ,&'_jquerydemo_' each ;: names_jquerydemo_ 3 >> OKDO_jhs_ =: OKDO_jhs_ , (<'jev_get_jfilesrc_') NB. needed for external >> files >> OKDO_jhs_ =: OKDO_jhs_ , (<'jev_jquerydemo_') NB. needed for posts >> >> >> jhscfg=: 3 : 0 >> .. >> if. _1=nc<'OKDO' do. OKDO=: '' end. NB. verbs allowed without login >> ... >> ) >> >> >> main changes: >> >> NB. J needs input - y is prompt - '' ' ' ' ' >> input=: 3 : 0 >> logapp 'jhs input prompt: ',":#y >> >> try. >> if. _1~:SKSERVER do. try. ".'urlresponse_',URL,'_ y' catch. end. end. NB. >> jijx >> if. _1~:SKSERVER do. jbad'' end. >> getdata'' NB. get and parse http request >> >> checkAuth =. (0~:#PASS)*.(1~:+/cookie E. >> gethv'Cookie:')*.-.LHOK*.PEER-:LOCALHOST >> >> if. 1=NVDEBUG do. smoutput seebox NV end. NB. HNV,NV >> if. (-.(<URL)e.boxopen OKURL)*.checkAuth >> do. r=. 'jev_get_jlogin_ 0' >> elseif. 1=RAW do. r=. 'jev_post_raw_',URL,'_''''' >> elseif. 'post'-:METHOD do. r=. getv'jdo' >> elseif. '.'e.URL do. r=. 'jev_get_jfilesrc_ URL_jhs_' >> elseif. 1 do. r=. 'jev_get_',URL,'_''''' >> end. >> logapp 'jhs sentence: ',r >> if. JZWSPU8-:3{.r do. r=. 3}.r end. NB. empty prompt kludge >> rparts =. ;: r >> >> NB. check to see if OKDO is specified, >> NB. if so then the sentence must exist in the list and only two words >> can be specified >> if. checkAuth *. (#OKDO) *. ((-.((0{rparts) e. OKDO)) +. (# rparts) > 2) >> do. >> r=. 'jev_get_jlogin_ 0' >> logappx 'not auth', (0{:: rparts) >> end. >> >> r >> >> catch. >> logappx 'input error' >> exit'' NB. 2!:55[11 crashes >> end. >> ) >> >> >> >> >> On Thu, Nov 10, 2016 at 3:14 PM, Joe Bogner <[email protected]> wrote: >> > I am working with a JHS app and trying to secure it so only approved J >> > expressions can run. Does JHS offer that capability? >> > >> > I can use OKURL to lock down the URL >> > >> > Example: >> > >> > OKURL_jhs_ =: 'jdemo1';' >> > >> > However, I can still send arbitrary J expressions to be evaluated >> > >> > For example, I can run a bookmarklet to include jquery on the page (or >> > just use XmlHttpRequest directly) >> > >> > I can send expressions easily from the javascript console >> > >> > I can cause the process to exit >> > >> > $.post("/jdemo1", { jdo:"exit''"}, function(resp) { console.log(resp) }) >> > >> > Or I can reset the username/password for jijx >> > >> > $.post("/jdemo1", { jdo:"PASS_jhs_ =: 'abc' [ USER_jhs_=:'abc'"}, >> > function(resp) { console.log(resp) }) >> > >> > >> > I am thinking something needs to be added to input in core.ijs to >> either: >> > >> > a. check against a list of expressions in OKDO .... which would be >> > tedious to specify every action or >> > >> > b. to only allow expressions that match a verb in the app locale. >> > Would that close up this security hole? >> > >> > For example, to turn on the flag would only allow these verbs to run >> > -- input would return an error if the jdo did not match one of these >> > verbs >> > >> > '' names_jdemo1_ 3 >> > create ev_roll_click jev_get >> > >> > >> > Regardless of the solution OKURL has a serious security hole >> > considering the username/password can be reset from a simple page. >> > >> > Thoughts? >> > >> > >> > core.ijs: >> > >> > >> > NB. J needs input - y is prompt - '' ' ' ' ' >> > input=: 3 : 0 >> > logapp 'jhs input prompt: ',":#y >> > try. >> > if. _1~:SKSERVER do. try. ".'urlresponse_',URL,'_ y' catch. end. end. >> NB. jijx >> > if. _1~:SKSERVER do. jbad'' end. >> > getdata'' NB. get and parse http request >> > if. 1=NVDEBUG do. smoutput seebox NV end. NB. HNV,NV >> > if. (-.(<URL)e.boxopen OKURL)*.(0~:#PASS)*.(1~:+/cookie E. >> > gethv'Cookie:')*.-.LHOK*.PEER-:LOCALHOST >> > do. r=. 'jev_get_jlogin_ 0' >> > elseif. 1=RAW do. r=. 'jev_post_raw_',URL,'_''''' >> > elseif. 'post'-:METHOD do. r=. getv'jdo' >> > elseif. '.'e.URL do. r=. 'jev_get_jfilesrc_ URL_jhs_' >> > elseif. 1 do. r=. 'jev_get_',URL,'_''''' >> > end. >> > logapp 'jhs sentence: ',r >> > if. JZWSPU8-:3{.r do. r=. 3}.r end. NB. empty prompt kludge >> > r NB. J sentence to run >> > >> > catch. >> > logappx 'input error' >> > exit'' NB. 2!:55[11 crashes >> > end. >> > ) >> ---------------------------------------------------------------------- >> For information about J forums see http://www.jsoftware.com/forums.htm >> > ---------------------------------------------------------------------- > For information about J forums see http://www.jsoftware.com/forums.htm ---------------------------------------------------------------------- For information about J forums see http://www.jsoftware.com/forums.htm
