Sign in to follow this  
capn_midnight

[web] Securing user-contributed scripts

Recommended Posts

capn_midnight    1707
I was thinking of an idea for a game contest that let people write small javascript snippets inside of their browser to fill in logic for the non-boiler plate portions of the game code. Basically, the contest would provide a simple set of functions/framework for making simple, 2D games (probably puzzle games), and you would create an account on the site, get a small amount of storage for your scripts, could maybe even setup simple project pages, write a simple game using the on-site editor, and then save it to present to other people.

The problem I'm running in to is making sure that black-hat users don't upload code that messes with anything outside of the framework. Presumably, players might also have accounts on the site (maybe just for the fact that they are also game makers), and a particularly nefarious user could write scripts that would impersonate that user because the script would be running within the site domain, so it would get around XSS restrictions.

Any suggestions? I think I just need to somehow prevent direct access to anything in the DOM.

Share this post


Link to post
Share on other sites
landlocked    103
[quote name='capn_midnight' timestamp='1307042535' post='4818806']
I was thinking of an idea for a game contest that let people write small javascript snippets inside of their browser to fill in logic for the non-boiler plate portions of the game code. Basically, the contest would provide a simple set of functions/framework for making simple, 2D games (probably puzzle games), and you would create an account on the site, get a small amount of storage for your scripts, could maybe even setup simple project pages, write a simple game using the on-site editor, and then save it to present to other people.
[/quote]
So you want to provide people with basically a javascript "game engine" and let them create games based on this javascript framework?

[quote name='capn_midnight' timestamp='1307042535' post='4818806']
The problem I'm running in to is making sure that black-hat users don't upload code that messes with anything outside of the framework.
[/quote]
Javascript is like that. It's the C++ of the browser world.

[quote name='capn_midnight' timestamp='1307042535' post='4818806']
Presumably, players might also have accounts on the site (maybe just for the fact that they are also game makers), and a particularly nefarious user could write scripts that would impersonate that user because the script would be running within the site domain, so it would get around XSS restrictions.
[/quote]
Register two domains. One is for creation and the other is for playing. jscreator.com and jsplayer.com would be separate the pools, so to speak, and keep your domain barriers where they need to be.

[quote name='capn_midnight' timestamp='1307042535' post='4818806']
Any suggestions? I think I just need to somehow prevent direct access to anything in the DOM.
[/quote]
Then you don't want to use javascript. You'd have to write your own superset of javascript like the jQuery team did and then you'd have to strip out any native javascript usage and only allow your own proprietary structure. You could strip out certain calls like "document.getElementById" but that is pretty laborious as there are several ways to achieve the same effect.

Share this post


Link to post
Share on other sites
Dino    172
Is this server-side JavaScript? If it is, then check out the latest issue (June 2011) of JsMag. My article on Game Development using Node.js in this month's issue talks about adding scripting language support to the game engine as well as sandboxing it.

You can use the coupon code neb9v6k for a free issue.

Share this post


Link to post
Share on other sites
capn_midnight    1707
[quote name='landlocked' timestamp='1307044508' post='4818819']
So you want to provide people with basically a javascript "game engine" and let them create games based on this javascript framework?
[/quote]
Yeah, like I said, it'd be really simple things. I'm thinking of this as an educational tool that I can use to teach classes on programming at my hackerspace.

[quote name='landlocked' timestamp='1307044508' post='4818819']
Register two domains. One is for creation and the other is for playing. jscreator.com and jsplayer.com would be separate the pools, so to speak, and keep your domain barriers where they need to be.
[/quote]
That solves the one issue of protecting the user's account from the games, and is definitely a good suggestion.

[quote name='landlocked' timestamp='1307044508' post='4818819']
Then you don't want to use javascript. You'd have to write your own superset of javascript like the jQuery team did and then you'd have to strip out any native javascript usage and only allow your own proprietary structure. You could strip out certain calls like "document.getElementById" but that is pretty laborious as there are several ways to achieve the same effect.
[/quote]
Yeah, I had considered doing that and was kind of hoping I wouldn't have to.

I might check out some of the projects for converting Python to JavaScript and run from there. Python would be a little more conducive to my purpose anyway.

[quote name='Dino' timestamp='1307046384' post='4818833']
Is this server-side JavaScript? If it is, then check out the latest issue (June 2011) of JsMag. My article on Game Development using Node.js in this month's issue talks about adding scripting language support to the game engine as well as sandboxing it.
[/quote]
no, definitely client-side.


Share this post


Link to post
Share on other sites
Dino    172
So you are allowing users to add code for when certain events or actions happen, right? That means someone could submit an infinite loop, which would cause an individual browser to grind down, right?

When dealing with user submitted code, especially those running on the client, there is little you can do to limit the JS execution.

If you are interested, what you can do is build a framework in which the client API is a proxy layer to a message-based server.

The server can be a JavaScript based server that can properly sandbox the user submitted code.

That's your best option, IMO.

Share this post


Link to post
Share on other sites
Dino    172
There is one other thing that can help you. ECMAScript 5 compliant browsers also allow you to freeze and seal objects. ECMAScript I the standard that JavaScript follows.

Might be useful to you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this