ClearScript,
Does your statement "If you don't expose any host objects, JavaScript code can only access built-ins such as Math" only apply when using the V8 Engine? It seems like if you use Microsoft.ClearScript.Windows.JScriptEngine for example, you could use ActiveXObject as an exploit.
Consider this script method, which is designed to let a user write a script to transform data by executing it over each row as the data is copied someplace. The following code executed just fine with the JScript engine, and row.SomeField had the contents of some-secret-file.txt in it when done.
Justin
Does your statement "If you don't expose any host objects, JavaScript code can only access built-ins such as Math" only apply when using the V8 Engine? It seems like if you use Microsoft.ClearScript.Windows.JScriptEngine for example, you could use ActiveXObject as an exploit.
Consider this script method, which is designed to let a user write a script to transform data by executing it over each row as the data is copied someplace. The following code executed just fine with the JScript engine, and row.SomeField had the contents of some-secret-file.txt in it when done.
function transform(row){
// Intended use
row.SomeField = row.Foo * row.Bar;
// Malicious use
var fso = new ActiveXObject('Scripting.FileSystemObject');
var f = fso.OpenTextFile('c:\\temp\\some-secret-file.txt');
row.SomeField = f.ReadAll();
f.Close();
fso = null;
}Justin
