Loading ...
Sorry, an error occurred while loading the content.

243Re: ADsafe and bind

Expand Messages
  • marcel.laverdet
    Sep 5, 2008
    • 0 Attachment
      --- In caplet@yahoogroups.com, David-Sarah Hopwood <david.hopwood@...> wrote:
      >
      > Douglas Crockford wrote:
      > > ADsafe will block the bind method. The bind method proposed for ES3.1
      > > is safe, but the bind methods provided by the current Ajax libraries
      > > are not because they can bind to the global object.
      >
      > Don't some of these libraries have other aliases for bind-like methods?
      > For example Prototype has 'bindAsEventListener', although I don't know of
      > any specific attack based on that in the context of ADsafe.
      >
      > --
      > David-Sarah Hopwood
      >

      I'm kind of late to this (just joined this group) but this just seems like a losing battle. Trusting
      that a host hasn't opened themselves up to an attack by unsafely extending built-ins seems
      dubious. For instance consider this little number that Prototype comes with:
      Array.prototype.first = function() {
      return this[0];
      }

      To be clear, the attack that this opens you up to is as follows:
      var win = ([].first || 0)();

      Of course the attack assumes that the host uses Prototype and also has an iframe on the
      page, but I imagine such cases aren't hard to find. There's also several other ways you can
      get window without even depending on Prototype:
      ([].slice || 0)(0)
      ([].sort || 0)()
      ([].forEach || 0)(function(a,b,win){ })

      So now you're in a tough situation. Do you blacklist all of those vectors? I see you're
      currently using mozilla() to handle concat, reverse, and sort but that approach won't work
      consistently on all sites. Additionally you run into the problem that by poking around at
      Array.prototype you break hosts that use for (var ii in arr); for array iteration under the
      assumption that Array.prototype contains only DontEnum properties.

      My recommendation is to implement context-switching between the host environment and
      ADSafe environments. First loop through the prototypes of Object, Function, Array, String,
      Number, and RegEx and store a copy of everything you find in your own dictionary, while at
      the same time `delete'ing those properties. Then run through Array again and augment all
      known dangerous Array methods (there's a lot of them, according to my list: map, forEach,
      each, filter, every, some, reduce, reduceRight, sort, reverse, concat, and slice). After that
      you've strong-armed the environment into a much safer state. You can then run your
      untrusted code in a try \ catch block and restore the environment back to the state it was in
      before.

      Also, for what it's worth I've gotten around blacklisting "eval" in FBJS with the following trick:
      if (Object.prototype.eval) {
      window.eval = Object.prototype.eval;
      delete Object.prototype.eval;
      }

      Apparently if you delete Object.prototype.eval, eval no longer works in some versions of
      Konquerer, so that's what the window.eval assignment is for. We've been running under this
      environment for a while with no side-effects so you may want to give it a try.

      Cheers.
    • Show all 13 messages in this topic