Re: Malicious code with limited character set?

On Mar 30, 10:07 pm, "Paul E Collins" <find_my_real_addr...@xxxxxxx>
wrote:
"shimmyshack" <matt.fa...@xxxxxxxxx> wrote:
can you set limits on the resources (CPU/time,mem) this
dll will use, and if the call throws an error...

Evaluation errors aren't a problem, because JScript's exception can be
caught and handled in C#. Giving it only a set amount of time to run
before aborting is possible, but hopefully not necessary (see below);
it also wouldn't help if the code did some short-lived evil thing like
overwriting a file.

I think I'll just have to ban upper- and lower-case letters
altogether unless they form part of a recognised Math
library function.

IMHO blacklisting will never work,

What I meant there - and what I've done for now - is to temporarily
remove the entire names of known acceptable functions such as
"Math.Floor" (the ones we offer in a dropdown list) and then check the
remainder for only containing digits and math operators. Writing
meaningful JS code without the use of letters should be impossible, so
I think it's safe enough now.

you could lock the thing down using regular expressions.

That seems like a good idea. I'll look into that one as well.

Eq.

yeah I was thinking - if you want free form equations to be executed
good luck! - but if you have a model for the type of equation they
will use, then you're laughing. I mean you are likely to get types of
expression, like a n degree polynomial, great, you're laughing, or it
must have a term in e^n where n is rational, great! Using the real
world problem and getting the likely expression will help you here. I
mean they are unlikely to need a tanh curve in there!!

.