Sandbox code evaluation / prevent redirections

[marcosvega91]

Trying to test the parser I see that in the editor you can write everything. There is not check on what you are writing. You can write for example alert('hello') or whatever.

I think that we need to parse the string before evaluate it, extracting method and check it is enabled to use.

[smeijer]

Why would that be a problem? Are there security concerns that we need to think about?

The alert example is something I can also do on codepen or jsfiddle

[marcosvega91]

Security I think that now is not a problem. I don't know If is correct to enable the user to write what he wants. I thought that it was a bug.

[smeijer]

I understand your concern, but unless I'm missing something serious, I think that's exactly what we want.

The most serious javascript injection that I'm aware of is about:

• session hijacking
• cookie stealing
• code injection

Session Hijacking
We don't have any sessions, or server side, so I'm not worried about this

Cookie stealing
We don't have cookies

Code injection
Code injection usually means that you write a comment or something, and by executing javascript you change the functionality behind some buttons or redirect your user to another site.

It is now possible to add a redirect, and forward the user to your own site when you would share the playground URL. I can imagine that we should block things like that.

For example, add something like this to your playground:

window.location.href = 'https://google.com';

playground

[smeijer]

Thinking about this, I think this can be done quite easily.

If we would evaluate the query inside an iframe (maybe just in the preview pane?), the only thing that would be redirected, would be the iframe.

[marcosvega91]

Now there is no problem. The only strange thing about it is that the eval function will evaluate everything but the result is only for the last sentence. So it could be strange

[smeijer]

True, but we would make it quite difficult for ourselves if we would only execute the last expression.

const role = 'button';
screen.getByRole(role);

[marcosvega91]

You are right

[smeijer]

Got the sandboxing thing working. I'll submit a PR in a couple of days.