如何运行用户提供的Javascript没有安全问题(如jsFiddle,jsBin等)?
[英]How to run user-provided Javascript without security issues (like jsFiddle, jsBin, etc.)?
问题描述
I need to run a Javascript function that is completely written by the user. 
我需要运行一个完全由用户编写的Javascript函数。 I provide him a skeleton, but the details are for him to specify, eg 我向他提供了一个骨架,但细节供他指定,例如
function main(model, console) {
// the user can enter anything here
// ideally, he would only be allowed to
// use the methods that "model" and "console" provide, e.g.
var item = model.getItems();
console.log("Found " + item.length + " items.");
}
For the application to work, the user only needs to access methods and properties of the parameters (he explicitely doesn't require document or window access or send XMLHttpRequests ). 为了使应用程序起作用,用户只需要访问参数的方法和属性(他明确地不需要文档或窗口访问或发送XMLHttpRequests )。
I have already read several articles about the eval() function and how you can use it to run code. 我已经阅读了几篇关于eval()函数的文章以及如何使用它来运行代码。 I also read other articles on StackOverflow ( how jsFiddle runs code , eval in general , etc.), but I'm still not sure how to do it properly. 我还阅读了有关StackOverflow的其他文章( jsFiddle如何运行代码 , eval一般等等),但我仍然不确定如何正确地执行它。
First of all: what are the real issues of eval() ? 首先: eval()的真正问题是什么? What can an attacker do and how can you prevent it (with whitelists, blacklists or user input sanitizing libraries)? 攻击者可以做什么以及如何防止它(使用白名单,黑名单或用户输入清理库)? Can anyone explain in depth how jsFiddle and such websites execute user input? 任何人都可以深入解释jsFiddle和这样的网站如何执行用户输入?
2 个解决方案
解决方案1
4 已采纳 2014-09-01 09:32:48
What can eval ed code do? eval代码可以做什么? It could do essentially anything your code can do; 它可以完成你的代码可以做的任何事情; it is evaluated in the same context. 它在相同的上下文中进行评估。
Creating a system to allow third-party code to run while protecting yourself is extremely hard and rife with opportunities to shoot yourself in the foot. 创建一个允许第三方代码运行同时保护自己的系统是非常困难的,并且充满机会射击自己。 Trying to cook up your own solution is a very bad idea. 尝试制作自己的解决方案是一个非常糟糕的主意。
Luckily there are a number of well tested projects created by very smart people that endeavor to make it safe to run third party code. 幸运的是,有许多经过良好测试的项目由非常聪明的人创建,他们努力使运行第三方代码变得安全。 The two most prominent ones would be Google Caja and Douglas Crockford's ADsafe . 最着名的两个是Google Caja和Douglas Crockford的ADsafe 。
As @Barmar noted, JSFiddle runs the code in an iframe on a different domain, this causes the browser to not allow the code in the iframe access to the parent page due to the Same Origin Policy . 作为@Barmar指出,运行的jsfiddle在不同域的iframe的代码,这将导致浏览器不允许在iframe访问父页面的代码由于同源策略 。
解决方案2
4 2015-01-18 14:51:36
The proper way to run untrusted JavaScript is to put it into a sandboxed environment. 运行不受信任的JavaScript的正确方法是将其放入沙盒环境中。 Here is the technique used by a Jailed library written by myself for exactly the mentioned purpose: 以下是我自己编写的Jailed库用于上述目的的技术:
For Node.js: 对于Node.js:
Create a subprocess;
创建子流程; Load the code as a string (read the file contents in case you have its path);
将代码加载为字符串(如果有路径,请读取文件内容); Add
use strict;添加use strict;at the beginning of the code (in order to prevent breaking the sandbox usingarguments.callee.caller);在代码的开头(为了防止使用arguments.callee.caller破坏沙箱);Evaluate that string in a separate context using
vm.runInNewContext(), where the providedsandboxonly exposes some basic methods likesetTimeout().使用vm.runInNewContext()在单独的上下文中评估该字符串,其中提供的sandbox仅公开一些基本方法,如setTimeout()。
For the web-browser: 对于网络浏览器:
Create an iframe with a sandbox attribute (so that its content obeys the cross-origin policy and therefore cannot access the main application);
使用沙箱属性创建iframe(以使其内容服从跨源策略,因此无法访问主应用程序); Create a web-worker inside that iframe (so that user-submited code will get its own thread and therefore will not freeze the UI)
在iframe中创建一个web-worker(这样用户提交的代码将获得自己的线程,因此不会冻结UI)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.