 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers |
Webmaster Forum / HTML, CSS, Scripts / JavaScript / March 2007Malicious code with limited character set?
Hello. Some software I work on needs the ability to evaluate arithmetical expressions at run-time. (Specifically, the user can enter a custom formula to calculate the number of vehicles required to hold certain sizes of container.) Since the C# libraries do not offer this, we are calling into a separate .NET DLL, written in JScript, that merely performs "eval" on a string and returns the result as a double. Of course, "eval" can be used to execute arbitrary code. For example, a formula of "for(;;){}" would lock up the program in an infinite loop. To avoid this, I am restricting the formula to a minimal set of characters, specifically: - The digits 0 to 9, the brackets ( ) and the decimal point. - The arithmetic, bitwise and ternary operators + - * / % < > = ~ & | ^ ? : - The letters a-z and A-Z (to permit usage of Math.Floor etc.). Without semicolons or braces, I believe the user will not be able to create an expression that does anything bad (such as an infinite loop or attempts at file access). Can anyone prove me wrong? Eq. > Without semicolons or braces, I believe the user will not be able to > create an expression that does anything bad (such as an infinite > loop or attempts at file access). Can anyone prove me wrong? Curses. I've just found out that the semicolon isn't necessary, i.e. this infinite loop will work in "eval" rather than raising a syntax error: while(true)continue I think I'll just have to ban upper- and lower-case letters altogether unless they form part of a recognised Math library function. Eq. On 30 Mar, 14:49, "Paul E Collins" <find_my_real_addr...@CL4.org> wrote: > > Without semicolons or braces, I believe the user will not be able to > > create an expression that does anything bad (such as an infinite [quoted text clipped - 8 lines] > > Eq. can you set limits on the resources (CPU/time,mem) this dll will use, and if the call throws an error... IMHO blacklisting will never work, someone who wants to will find a way. What model can you impose for the class of expression do you allow, if you only allowed polynomials up to a certain degree, or allowed only certain types of formatting of certain operators, I'm thinking of ^(a/ b) for roots, you could lock the thing down using regular expressions. It would be up to the customer not to try to use ^(123^123456/-6^(-7)) because you only accept ^a/b where a and b are integers, (^c where c is rational) up to a certain accuracy. Am I being too simplistic or forcing your users to jump through too many hoops, how advanced are they? - the more advanced the less restrictions they would mind. > can you set limits on the resources (CPU/time,mem) this > dll will use, and if the call throws an error... Evaluation errors aren't a problem, because JScript's exception can be caught and handled in C#. Giving it only a set amount of time to run before aborting is possible, but hopefully not necessary (see below); it also wouldn't help if the code did some short-lived evil thing like overwriting a file. > > I think I'll just have to ban upper- and lower-case letters > > altogether unless they form part of a recognised Math > > library function. > > IMHO blacklisting will never work, What I meant there - and what I've done for now - is to temporarily remove the entire names of known acceptable functions such as "Math.Floor" (the ones we offer in a dropdown list) and then check the remainder for only containing digits and math operators. Writing meaningful JS code without the use of letters should be impossible, so I think it's safe enough now. > you could lock the thing down using regular expressions. That seems like a good idea. I'll look into that one as well. Eq. On Mar 30, 10:07 pm, "Paul E Collins" <find_my_real_addr...@CL4.org> wrote: > > can you set limits on the resources (CPU/time,mem) this > > dll will use, and if the call throws an error... [quoted text clipped - 23 lines] > > Eq. yeah I was thinking - if you want free form equations to be executed good luck! - but if you have a model for the type of equation they will use, then you're laughing. I mean you are likely to get types of expression, like a n degree polynomial, great, you're laughing, or it must have a term in e^n where n is rational, great! Using the real world problem and getting the likely expression will help you here. I mean they are unlikely to need a tanh curve in there!! |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.