sunmao-ui icon indicating copy to clipboard operation
sunmao-ui copied to clipboard

Published 20 hours ago verified publisher icon smartxworks

How to increase the security of Expression and avoid being executed evil javascript code

Open WoeOm opened this issue 2 years ago • 4 comments

Version

Reproduction link https://sunmao-ui.com/dev.html Steps to reproduce Inside the Text component, enter {{alert()}} What is expected?

What is actually happening?

WoeOm avatar Oct 27 '22 06:10 WoeOm

Good point. Sunmao uses new function() to run the code in Expression, so the expression will run globally and Sunmao can not prevent expression from running.

But there is a simple workaround to solve this problem to some extent, which is overriding some dangerous global variables(like alert) when evaluating expressions. Maybe we can add it into next version.

tanbowensg avatar Oct 27 '22 09:10 tanbowensg

javascript sandbox is very tricky problem.

But lowcode allows access to third-party apis, and the return values of apis such as (alert(), GetSessionToken(), eval()) may also be executed through {{api.result}}.

WoeOm avatar Oct 27 '22 09:10 WoeOm

One thing I'm thinking about is how should we define 'dangerous code'.

Because in sunmao, the expressions were written by the app developer, the people that can responsible for the code.

Yuyz0112 avatar Oct 28 '22 06:10 Yuyz0112

Another point is whether the expression system cause XSS happens easier. I think the answer is yes and there is something we can improve.

Yuyz0112 avatar Oct 28 '22 06:10 Yuyz0112