Login/Register
Simple, secure scripting language implemented in JavaScript? [closed]
Asked Answered
Solved javascriptinterpreterscripting-language
I

3

6

I would like to implement a scripting language to assist in partially automating certain tasks on a public wiki. I cannot install anything such as Google Caja on the server or modify the wiki software itself, but I can install JavaScript code for client-side execution. Because my intent is to allow ordinary users to create and post scripts, using JavaScript itself is insecure and could lead to account compromises.

Does such a scripting language implementation exist, or if not, is it relatively easy to create? My focus is on ease of text processing, Ajax requests, and implementation.

Here is an example task a script would need to perform, taken from Wikipedia's procedure for requesting article deletion:

  1. Ask the user for the name of a wiki page and a good reason to delete it.
  2. Get that page's source code, add a deletion notice to the top, and save the new text.
  3. Create a new page (its name based on the first page's name) that includes the reason for deletion.
  4. Get the list of users who edited the page and notify the first one (again, by editing a specific page) that the page he created is about to be deleted.
Inae answered 18/10, 2010 at 2:49 Comment(4)
If you want this language to both be able to make ajax requests and access/modify the DOM, you are not gaining any security over just JS (if it can't touch the DOM tho it might be no problem)Anaximander
The idea is not for any arbitrary DOM modification or Ajax requests to be allowed, only those that are relatively "safe" and can be easily undone after the user is shown a list of actions that were in fact performed.Inae
I don't understand at all. What is this "scripting language" supposed to be able to do?Tonus
Can you give a very specific example of what one of these scripts might do?Tonus
G
3

Here's an implementation of Tcl in javascript: Tcl in Javascript.

Here's the source: tcl.js.

And here's code implementing a live console in your browser to play with: A little tcl.js console

Tcl may not be your cup of tea but the implementation looks fairly simple straightforward. This is mainly because tcl itself is such a simple language. You can use it to get ideas on how to implement variables and functions.

Hint: in tcl, control structures are functions so look at where built-in functions are implemented to see the implementation of for, while and foreach.

Gamine answered 29/10, 2010 at 2:13 Comment(0)
I
2

Douglas Crockford's ADsafe is supposed to be a secure subset of JavaScript.

It consists of a runtime library (~20 KB minified) and a verifier (included in JSLint). If Crockford were to drop "The Software shall be used for Good, not Evil" from the license, both components would be GPL-compatible open-source programs.

Because JSLint is a JavaScript program, it can verify user scripts entirely within the web browser. This is in contrast to Google Caja, which is written in Java.

Inae answered 29/10, 2010 at 1:52 Comment(1)
Adsafe doesn't seem to do anythng about infinite loops or enforcing a timeout, which means it's still possible for one user to do something like for(;;); and have another user's page lock up; or something like a=[]; for(;;) { a = [a,a] } for a memory explosion.Seko
P
-1

You could just sandbox; that is, scope in a couple of key variables so that the user's code is unable to access unsafe objects.

var execSandboxedJS = function (jsCode) {
    var window = document.getElementById('myRootElement');
    var document = window;
    eval(jsCode);
};

Though, allowing user code to make ajax requests is, in itself, inherently unsafe. I would reconsider the sanity of the project if that's what's called for.

Pope answered 18/10, 2010 at 6:33 Comment(1)
Not good enough. For starters, that can easily be broken out of by using self instead of window. The way JavaScript is, it would be extremely hard to patch all the holes - see code.google.com/p/google-caja/wiki/AttackVectors.Inae

© 2022 - 2024 — McMap. All rights reserved.