Re: Parsing JavaScript to prevent maliciousness?

On Aug 15, 9:35 pm, Mongoose Sir mongoose <mongoos...@xxxxxxxxx>
wrote:
Hello,

I'm working on a site that is implementing similar functionality to _A
Certain Large Social Networking Site_'s Apps feature.

Application developers will be able to write apps in a hybrid HTML /
"FooML" / JavaScript syntax.

This will get parsed by my servers (as the man in the middle) and then
shoved back to the user's browser as HTML.

Now, my normal inclination is just to dive in and start coding away =)

But I figured one of the smart people here might have some good pointers
on where to start.

The tricky problems, as I see them:

* Allowing access to some JavaScript functionality while stripping out
malicious calls (document.cookies ?)
* Also: how to deal with Base64 / eval / other tomfoolery that attackers
might attempt

Does a Ruby Javascript parser exist? A quick google brings up
http://idontsmoke.co.uk/2005/rbnarcissus/, dunno how well it actually
works though. Either way, "stripping out malicious calls" is the
opposite of the correct approach (as attackers *will* outclever you,
100% of the time); rather you create a whitelist of acceptable
javascript, nixing everything that doesnt match your criteria. Mayhaps
it might even be easier to create your own language that users can
use, and translate that into JS?

* Parsing custom tags like <foo:username />, <foo:friend_list count="4"
/>.

The last one seems similar enough to parsing HTML trees so hopefully
there's something in ruby-land that can help with this)


This seems like the standard Hpricot/Nokogiri parsing affair; are
either of those not suiting your needs?
.

Relevant Pages