473,382 Members | 1,396 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > javascript > questions > malicious code with limited character set?

Join Bytes to post your question to a community of 473,382 software developers and data experts.

Malicious code with limited character set?

Hello.

Some software I work on needs the ability to evaluate arithmetical
expressions at run-time. (Specifically, the user can enter a custom
formula to calculate the number of vehicles required to hold certain
sizes of container.) Since the C# libraries do not offer this, we are
calling into a separate .NET DLL, written in JScript, that merely
performs "eval" on a string and returns the result as a double.

Of course, "eval" can be used to execute arbitrary code. For example,
a formula of "for(;;){}" would lock up the program in an infinite
loop. To avoid this, I am restricting the formula to a minimal set of
characters, specifically:

- The digits 0 to 9, the brackets ( ) and the decimal point.
- The arithmetic, bitwise and ternary operators + - * / % < = ~ & |
^ ? :
- The letters a-z and A-Z (to permit usage of Math.Floor etc.).

Without semicolons or braces, I believe the user will not be able to
create an expression that does anything bad (such as an infinite loop
or attempts at file access). Can anyone prove me wrong?

Eq.
Mar 30 '07 #1
4 1525
"Paul E Collins" <fi******************@CL4.orgwrote:
Without semicolons or braces, I believe the user will not be able to
create an expression that does anything bad (such as an infinite
loop or attempts at file access). Can anyone prove me wrong?
Curses. I've just found out that the semicolon isn't necessary, i.e.
this infinite loop will work in "eval" rather than raising a syntax
error: while(true)continue

I think I'll just have to ban upper- and lower-case letters altogether
unless they form part of a recognised Math library function.

Eq.
Mar 30 '07 #2
On 30 Mar, 14:49, "Paul E Collins" <find_my_real_addr...@CL4.org>
wrote:
"Paul E Collins" <find_my_real_addr...@CL4.orgwrote:
Without semicolons or braces, I believe the user will not be able to
create an expression that does anything bad (such as an infinite
loop or attempts at file access). Can anyone prove me wrong?

Curses. I've just found out that the semicolon isn't necessary, i.e.
this infinite loop will work in "eval" rather than raising a syntax
error: while(true)continue

I think I'll just have to ban upper- and lower-case letters altogether
unless they form part of a recognised Math library function.

Eq.
can you set limits on the resources (CPU/time,mem) this dll will use,
and if the call throws an error... IMHO blacklisting will never work,
someone who wants to will find a way.
What model can you impose for the class of expression do you allow, if
you only allowed polynomials up to a certain degree, or allowed only
certain types of formatting of certain operators, I'm thinking of ^(a/
b) for roots, you could lock the thing down using regular expressions.
It would be up to the customer not to try to use
^(123^123456/-6^(-7)) because you only accept ^a/b where a and b are
integers, (^c where c is rational) up to a certain accuracy.
Am I being too simplistic or forcing your users to jump through too
many hoops, how advanced are they? - the more advanced the less
restrictions they would mind.

Mar 30 '07 #3
"shimmyshack" <ma********@gmail.comwrote:
can you set limits on the resources (CPU/time,mem) this
dll will use, and if the call throws an error...
Evaluation errors aren't a problem, because JScript's exception can be
caught and handled in C#. Giving it only a set amount of time to run
before aborting is possible, but hopefully not necessary (see below);
it also wouldn't help if the code did some short-lived evil thing like
overwriting a file.
I think I'll just have to ban upper- and lower-case letters
altogether unless they form part of a recognised Math
library function.

IMHO blacklisting will never work,
What I meant there - and what I've done for now - is to temporarily
remove the entire names of known acceptable functions such as
"Math.Floor" (the ones we offer in a dropdown list) and then check the
remainder for only containing digits and math operators. Writing
meaningful JS code without the use of letters should be impossible, so
I think it's safe enough now.
you could lock the thing down using regular expressions.
That seems like a good idea. I'll look into that one as well.

Eq.
Mar 30 '07 #4
On Mar 30, 10:07 pm, "Paul E Collins" <find_my_real_addr...@CL4.org>
wrote:
"shimmyshack" <matt.fa...@gmail.comwrote:
can you set limits on the resources (CPU/time,mem) this
dll will use, and if the call throws an error...

Evaluation errors aren't a problem, because JScript's exception can be
caught and handled in C#. Giving it only a set amount of time to run
before aborting is possible, but hopefully not necessary (see below);
it also wouldn't help if the code did some short-lived evil thing like
overwriting a file.
I think I'll just have to ban upper- and lower-case letters
altogether unless they form part of a recognised Math
library function.
IMHO blacklisting will never work,

What I meant there - and what I've done for now - is to temporarily
remove the entire names of known acceptable functions such as
"Math.Floor" (the ones we offer in a dropdown list) and then check the
remainder for only containing digits and math operators. Writing
meaningful JS code without the use of letters should be impossible, so
I think it's safe enough now.
you could lock the thing down using regular expressions.

That seems like a good idea. I'll look into that one as well.

Eq.
yeah I was thinking - if you want free form equations to be executed
good luck! - but if you have a model for the type of equation they
will use, then you're laughing. I mean you are likely to get types of
expression, like a n degree polynomial, great, you're laughing, or it
must have a term in e^n where n is rational, great! Using the real
world problem and getting the likely expression will help you here. I
mean they are unlikely to need a tanh curve in there!!

Mar 30 '07 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

67
Why code completion and early error checking are needed
by: Steven T. Hatton | last post by:
Some people have suggested the desire for code completion and refined edit-time error detection are an indication of incompetence on the part of the programmer who wants such features. ...
C / C++
2
DHTML code all of a sudden not working..
by: Frances Del Rio | last post by:
please, can you go to http://www.francesdelrio.com/dhtml/ when you click the name of the character the font color for all the lines of that character should change.. this is a simple DHTML...
Javascript
25
Code Samples
by: Delta | last post by:
Drop Down Menu Mozilla : work well widowed elements such as drop downs, except for flash movies IE : work well so far http://pwp.netcabo.pt/falmartins/index.htm
Javascript
21
Post length for code.
by: name | last post by:
One imagines that code over a certain length should be put on a website and the URL posted here. However, one also imagines that some readers will not have a web browswer available; posting a URL...
C / C++
28
Malicious JavaScript code,
by: Noone Here | last post by:
AIUI, it was not all that long ago when the threat to personal users, was attachments that when executed compromised machines with keyloggers, trojans, etc. Now it seems that the big problem is...
Javascript
0
Colour Code Display Page Using Regular Expressions?
by: peridian | last post by:
Hi, I wanted a web page where I could post code to, and have it appear in coloured formatting based on the context of the code. Most of the techniques I have seen for this involve complex use...
PHP
0
C-code with I2C API implementation
by: chikas | last post by:
hallo all,I need help and any tips shall be appreciated! i want to implement a I2C API(from Beck SC12 microcontroller) in a 1 wire search C-code(use to search devices on 1 wire bus) sothat that i...
C / C++
14
Help - Can't get rid of the malicious Code
by: morebeer | last post by:
I got the same problem, hundreds of SQL tables been infected with this malicious javascript code. But although closing the original injection leak and also having replaced all strings in all...
ASP / Active Server Pages
33
Spaceball Source Code
by: Adeel Hasan Akbari | last post by:
Hi! I'm new to this field. Actually i'm a new programmer. And i've never worked in C. It is my humble request to you to provide me with the source code for Spaceball (the game in which there's...
C / C++
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!