Quantcast
Channel: ClearScript
Viewing all articles
Browse latest Browse all 2297

New Post: Sandboxing and security

0
0
ClearScript,

Does your statement "If you don't expose any host objects, JavaScript code can only access built-ins such as Math" only apply when using the V8 Engine? It seems like if you use Microsoft.ClearScript.Windows.JScriptEngine for example, you could use ActiveXObject as an exploit.

Consider this script method, which is designed to let a user write a script to transform data by executing it over each row as the data is copied someplace. The following code executed just fine with the JScript engine, and row.SomeField had the contents of some-secret-file.txt in it when done.
function transform(row){ 
    // Intended use
    row.SomeField = row.Foo * row.Bar;  
    
    // Malicious use
    var fso = new ActiveXObject('Scripting.FileSystemObject');
    var f = fso.OpenTextFile('c:\\temp\\some-secret-file.txt');
    row.SomeField = f.ReadAll();
    f.Close();
    fso = null;
}
Am I missing something? Is there some way to run completely sandboxed?

Justin

Viewing all articles
Browse latest Browse all 2297




Latest Images