docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon codewars

JS: Forbidding things

Open Steffan153 opened this issue 4 years ago • 4 comments

For just disabling a function, and it has already been undefined, things to handle:

https://www.codewars.com/kata/reviews/5e8ad9356ea54400012d2d11/groups/5e8efc4c45ab07000144ec39 https://www.codewars.com/kata/reviews/5e8ad9356ea54400012d2d11/groups/5e8efc0edf15f9000118d18c

vm, require, module.require, process.mainModule.require.

@error256 might be able to come up with more?

As far as disabling a specific string, that's really meh... TODO

Steffan153 avatar Dec 30 '20 21:12 Steffan153

Maybe some note on Object.freeze used to prevent tampering with built-in things would be useful?

hobovsky avatar Dec 30 '20 22:12 hobovsky

As far as disabling a specific string, that's really meh

Actually, I have found that disabling string intelligently is quite effective and easy method to forbid things, since in JavaScript there are very few method to use string as a code, all one need to do is to forbid them and then forbid the relevant keyword.

I think one can easily enforce first solution by mere disabling require(which by itself disables whole lot of things).

XRFXLP avatar Jan 06 '21 13:01 XRFXLP

Okay, when disabling a string: require, module.require, vm, process.binding (undefining will make Node not work, only disable contextify as the arguemnt),eval, ...

Steffan153 avatar Jan 06 '21 14:01 Steffan153

There is actually a better way to disable eval: delete it from the from global.

By doing that you would get rid of function constructor and JSFuck stuffs(which obviously won't be disabled by disabling strings).

XRFXLP avatar Jan 06 '21 14:01 XRFXLP