半沙盒Javascript评估 [英] Semi-sandboxing Javascript eval

问题描述

背景：我正在开发一个框架/库，用于与greasemonkey / userscripts协调的特定网站。该框架/库将允许插件支持。它的工作方式是一个附加寄存器，库中列出了所需的页面，资源，ectera和库将等到所有的critera都满足后调用addon的 load（）函数。

Background: I'm working on a framework/library to be used for a specific site in coordination with greasemonkey/userscripts. This framework/library will allow for addon support. The way it will work is an addon registers with the library listing required pages, resources, ectera and the library will wait until all critera is met to call the addon's load() function.

问题：在这个必需的东西列表中，我希望addon devs能够指定javascript（作为字符串）被评估为必需资源。例如'document.getElementById（banana）'。我想要做的是半沙盒评估必需资源，以便评估可以访问窗口& DOM对象但无法直接更改它们。我也想制作eval，并且沙盒中无法访问evalJS。

The Issue:In this listing of 'required stuff' I want addon devs to be able to specify javascript(as string) to be evaluated as a 'required resource'. For example 'document.getElementById("banana")'. What I want to do is semi-sandbox the evaluation of 'required resource' so the evaluation can access the window & DOM objects but is not able to directly alter them. I'd also like to make eval, and evalJS inaccessible from the sandbox.

示例：

• document.getElementById（banana） - >有效


• document.getElementById（apple）.id =orange - >无效


• window.grape - >有效


• window.grape ='potato' - >无效


• （someObj.applesCount> 0？'some'：'none'） - >有效

• document.getElementById("banana") -> valid
• document.getElementById("apple).id = "orange" -> invalid
• window.grape -> valid
• window.grape = 'potato' -> invalid
• (someObj.applesCount > 0 ? 'some' : 'none') -> valid

到目前为止我有什么：

function safeEval(input) {

    // Remove eval and evalJS from the window:
    var e = [window.eval, window.evalJS], a;
    window.eval = function(){};
    window.evalJS = function(){};

    try {

        /* More sanition needed before being passed to eval */

        // Eval the input, stuffed into an annonomous function
        // so the code to be evalued can not access the stored
        // eval functions:
        a = (e[0])("(function(){return "+input+"}())");
    } catch(ex){}

    // Return eval and evalJS to the window:
    window.eval = e[0];
    window.evalJS = e[1];

    // Return the eval'd result
    return a;
}

备注：

这是Greasemonkey / userscript。我没有直接访问权限来改变网站，或者它是javascript。

safeEval（）的输入可以是任何有效的javascript，无论是DOM查询或简单评估，只要它不会改变窗口对象或DOM。

Notes:
This is a Greasemonkey/userscript. I do not have direct access to alter the site, or it's javascript.
The input for safeEval() can be any valid javascript, be it a DOM query, or simple evaluations so long as it does not alter the window object or DOM.

推荐答案

没有绝对的方法可以防止最终用户或插件开发人员在JavaScript中执行特定代码。这就是为什么像JavaScript这样的开源语言中的安全措施被认为是万无一失的（因为它只对傻瓜有效）。

There's no absolute way to prevent an end user or addon developer from executing specific code in JavaScript. That's why security measures in an open source language like JavaScript is said to be foolproof (as in it's only effective against fools).

然而，这就是说我们要建立一个沙箱安全图层，以防止没有经验的开发人员破坏您的网站。我个人更喜欢使用函数构造函数而不是 eval 来执行用户代码，原因如下：

That being said however let's build a sandbox security layer to prevent inexperienced developers from breaking your site. Personally I prefer using the Function constructor over eval to execute user code for the following reasons:

1. 代码包含在匿名函数中。因此，它可以存储在变量中并根据需要多次调用。


2. 该函数始终存在于全局范围内。因此，它无法访问创建函数的块中的局部变量。


3. 该函数可以传递任意命名参数。因此，您可以利用此功能来传递或导入用户代码所需的模块（例如 jQuery ）。


4. 最重要的是，您可以设置自定义此指针并创建名为 window 和文档以防止访问全局范围和DOM。这允许您创建自己的DOM版本并将其传递给用户代码。



1. The code is wrapped in an anonymous function. Hence it may be stored in a variable and called as many times as needed.
2. The function always exists in the global scope. Hence it doesn't have access to the local variables in the block which created the function.
3. The function may be passed arbitrary named parameters. Hence you may exploit this feature to pass or import modules required by the user code (e.g. jQuery).
4. Most importantly you may set a custom this pointer and create local variables named window and document to prevent access to the global scope and the DOM. This allows you to create your own version of the DOM and pass it to the user code.

请注意，即使这种模式也有缺点。最重要的是，它可能只会阻止直接访问全球范围。用户代码仍然可以通过简单地声明没有 var 的变量来创建全局变量，并且恶意代码可能会使用hack来创建函数并使用它 this 访问全局范围的指针（JavaScript的默认行为）。

Note however that even this pattern has disadvantages. Most importantly it may only prevent direct access to the global scope. User code may still create global variables by simply declaring variables without var, and malicious code may use hacks like creating a function and using it's this pointer to access the global scope (the default behavior of JavaScript).

所以让我们看看一些代码： http://jsfiddle.net/C3Kw7/

So let's look at some code: http://jsfiddle.net/C3Kw7/

这篇关于半沙盒Javascript评估的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！