Malicious code with limited character set?

Discussion in 'Javascript' started by Paul E Collins, Mar 30, 2007.

  1. Hello.

    Some software I work on needs the ability to evaluate arithmetical
    expressions at run-time. (Specifically, the user can enter a custom
    formula to calculate the number of vehicles required to hold certain
    sizes of container.) Since the C# libraries do not offer this, we are
    calling into a separate .NET DLL, written in JScript, that merely
    performs "eval" on a string and returns the result as a double.

    Of course, "eval" can be used to execute arbitrary code. For example,
    a formula of "for(;;){}" would lock up the program in an infinite
    loop. To avoid this, I am restricting the formula to a minimal set of
    characters, specifically:

    - The digits 0 to 9, the brackets ( ) and the decimal point.
    - The arithmetic, bitwise and ternary operators + - * / % < > = ~ & |
    ^ ? :
    - The letters a-z and A-Z (to permit usage of Math.Floor etc.).

    Without semicolons or braces, I believe the user will not be able to
    create an expression that does anything bad (such as an infinite loop
    or attempts at file access). Can anyone prove me wrong?

    Eq.
    Paul E Collins, Mar 30, 2007
    #1
    1. Advertising

  2. "Paul E Collins" <> wrote:

    > Without semicolons or braces, I believe the user will not be able to
    > create an expression that does anything bad (such as an infinite
    > loop or attempts at file access). Can anyone prove me wrong?


    Curses. I've just found out that the semicolon isn't necessary, i.e.
    this infinite loop will work in "eval" rather than raising a syntax
    error: while(true)continue

    I think I'll just have to ban upper- and lower-case letters altogether
    unless they form part of a recognised Math library function.

    Eq.
    Paul E Collins, Mar 30, 2007
    #2
    1. Advertising

  3. Paul E Collins

    shimmyshack Guest

    On 30 Mar, 14:49, "Paul E Collins" <>
    wrote:
    > "Paul E Collins" <> wrote:
    >
    > > Without semicolons or braces, I believe the user will not be able to
    > > create an expression that does anything bad (such as an infinite
    > > loop or attempts at file access). Can anyone prove me wrong?

    >
    > Curses. I've just found out that the semicolon isn't necessary, i.e.
    > this infinite loop will work in "eval" rather than raising a syntax
    > error: while(true)continue
    >
    > I think I'll just have to ban upper- and lower-case letters altogether
    > unless they form part of a recognised Math library function.
    >
    > Eq.


    can you set limits on the resources (CPU/time,mem) this dll will use,
    and if the call throws an error... IMHO blacklisting will never work,
    someone who wants to will find a way.
    What model can you impose for the class of expression do you allow, if
    you only allowed polynomials up to a certain degree, or allowed only
    certain types of formatting of certain operators, I'm thinking of ^(a/
    b) for roots, you could lock the thing down using regular expressions.
    It would be up to the customer not to try to use
    ^(123^123456/-6^(-7)) because you only accept ^a/b where a and b are
    integers, (^c where c is rational) up to a certain accuracy.
    Am I being too simplistic or forcing your users to jump through too
    many hoops, how advanced are they? - the more advanced the less
    restrictions they would mind.
    shimmyshack, Mar 30, 2007
    #3
  4. "shimmyshack" <> wrote:

    > can you set limits on the resources (CPU/time,mem) this
    > dll will use, and if the call throws an error...


    Evaluation errors aren't a problem, because JScript's exception can be
    caught and handled in C#. Giving it only a set amount of time to run
    before aborting is possible, but hopefully not necessary (see below);
    it also wouldn't help if the code did some short-lived evil thing like
    overwriting a file.

    > > I think I'll just have to ban upper- and lower-case letters
    > > altogether unless they form part of a recognised Math
    > > library function.

    >
    > IMHO blacklisting will never work,


    What I meant there - and what I've done for now - is to temporarily
    remove the entire names of known acceptable functions such as
    "Math.Floor" (the ones we offer in a dropdown list) and then check the
    remainder for only containing digits and math operators. Writing
    meaningful JS code without the use of letters should be impossible, so
    I think it's safe enough now.

    > you could lock the thing down using regular expressions.


    That seems like a good idea. I'll look into that one as well.

    Eq.
    Paul E Collins, Mar 30, 2007
    #4
  5. Paul E Collins

    shimmyshack Guest

    On Mar 30, 10:07 pm, "Paul E Collins" <>
    wrote:
    > "shimmyshack" <> wrote:
    > > can you set limits on the resources (CPU/time,mem) this
    > > dll will use, and if the call throws an error...

    >
    > Evaluation errors aren't a problem, because JScript's exception can be
    > caught and handled in C#. Giving it only a set amount of time to run
    > before aborting is possible, but hopefully not necessary (see below);
    > it also wouldn't help if the code did some short-lived evil thing like
    > overwriting a file.
    >
    > > > I think I'll just have to ban upper- and lower-case letters
    > > > altogether unless they form part of a recognised Math
    > > > library function.

    >
    > > IMHO blacklisting will never work,

    >
    > What I meant there - and what I've done for now - is to temporarily
    > remove the entire names of known acceptable functions such as
    > "Math.Floor" (the ones we offer in a dropdown list) and then check the
    > remainder for only containing digits and math operators. Writing
    > meaningful JS code without the use of letters should be impossible, so
    > I think it's safe enough now.
    >
    > > you could lock the thing down using regular expressions.

    >
    > That seems like a good idea. I'll look into that one as well.
    >
    > Eq.


    yeah I was thinking - if you want free form equations to be executed
    good luck! - but if you have a model for the type of equation they
    will use, then you're laughing. I mean you are likely to get types of
    expression, like a n degree polynomial, great, you're laughing, or it
    must have a term in e^n where n is rational, great! Using the real
    world problem and getting the likely expression will help you here. I
    mean they are unlikely to need a tanh curve in there!!
    shimmyshack, Mar 30, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stimp

    preventing malicious user input

    Stimp, Sep 14, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    524
  2. Replies:
    0
    Views:
    849
  3. morebeer

    Help - Can't get rid of the malicious Code

    morebeer, Jul 15, 2008, in forum: ASP General
    Replies:
    11
    Views:
    243
    Bob Barrows [MVP]
    Jul 18, 2008
  4. Xah Lee

    malicious javascript code

    Xah Lee, Nov 19, 2004, in forum: Javascript
    Replies:
    0
    Views:
    95
    Xah Lee
    Nov 19, 2004
  5. Noone Here

    Malicious JavaScript code,

    Noone Here, Jan 27, 2006, in forum: Javascript
    Replies:
    25
    Views:
    228
    Richard Cornford
    Jan 31, 2006
Loading...

Share This Page