Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use other depencencies in code #24

Closed
Wilt opened this issue Dec 15, 2015 · 2 comments
Closed

Use other depencencies in code #24

Wilt opened this issue Dec 15, 2015 · 2 comments

Comments

@Wilt
Copy link

Wilt commented Dec 15, 2015

Consider this a question...
How can I implement dependencies and how can I make sure this doesn't open new vulnerabilities?

For example I have some custom Javascript classes and I want to use them during the evaluation of my code. Just to give an example of what it could look like:

Person = function( FirstName, LastName, Age, Sex ){
    this.FirstName = FirstName;
    this.LastName = LastName;
    this.Age = Age;
    this.Sex = Sex;
};

Parent = function( FirstName, LastName, Age, Sex ){
    Person.call( this, FirstName, LastName, Age, Sex );
    this.Children = [];
};
Parent.prototype = Object.create( Person.prototype );

Father = function( FirstName, LastName, Age ){
    Parent.call( this, FirstName, LastName, Age, "male" );
};
Father.prototype = Object.create( Parent.prototype );

Mother = function( FirstName, LastName, Age, Sex ){
    Parent.call( this, FirstName, LastName, Age, "female" );
};
Mother.prototype = Object.create( Parent.prototype );

Child = function( Father, Mother, FirstName, Age, Sex ){
    Person.call( this, FirstName, Father.LastName, Age, Sex );
    this.Mother = Father;
    this.Father = Father;
    this.Age = Age;

    this.addChildToFather();
    this.addChildToMother();
};
Child.prototype = Object.create( Person.prototype );
Child.prototype.setParents = function(){
    if( this.ObjectPlacement !== null ){
        this.ObjectPlacement.PlacesObject.push( this );
    }
};
Child.prototype.addChildToFather = function(){
    if( this.Father !== null ){
        this.Father.Children.push( this );
    }
};
Child.prototype.addChildToMother = function(){
    if( this.Mother !== null ){
        this.Mother.Children.push( this );
    }
};

So prototype etc. should be available...
@kumavis
Copy link
Contributor

kumavis commented Dec 15, 2015

@Wilt evel.js is more of an experiment / challenge - not used as a security measure in production anywhere.
If you have a real situation where you need to run untrusted code that interfaces with trusted code, I would keep them in separate sandboxes and have them interact via an RPC interface.

@natevw
Copy link
Owner

natevw commented Oct 17, 2017

Yeah, like @kumavis explained this would be out of scope. If no further bypass is found, evel is still just a low level tool that one could cautiously use to carefully build something bigger around.

@natevw natevw closed this as completed Oct 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@natevw @kumavis @Wilt