On Sun, Aug 16, 2009 at 03:00:12PM +0900, pharrington wrote:
> On Aug 15, 9:35m, Mongoose Sir mongoose <mongoos... / gmail.com>
> wrote:
> > Hello,
> >
> > I'm working on a site that is implementing similar functionality to _A
> > Certain Large Social Networking Site_'s Apps feature.
> >
> > Application developers will be able to write apps in a hybrid HTML /
> > "FooML" / JavaScript syntax.
> >
> > This will get parsed by my servers (as the man in the middle) and then
> > shoved back to the user's browser as HTML.
> >
> > Now, my normal inclination is just to dive in and start coding away =)
> >
> > But I figured one of the smart people here might have some good pointers
> > on where to start.
> >
> > The tricky problems, as I see them:
> >
> > * Allowing access to some JavaScript functionality while stripping out
> > malicious calls (document.cookies ?)
> > * Also: how to deal with Base64 / eval / other tomfoolery that attackers
> > might attempt
> 
> Does a Ruby Javascript parser exist? A quick google brings up
> http://idontsmoke.co.uk/2005/rbnarcissus/, dunno how well it actually
> works though. Either way, "stripping out malicious calls" is the
> opposite of the correct approach (as attackers *will* outclever you,
> 100% of the time); rather you create a whitelist of acceptable
> javascript, nixing everything that doesnt match your criteria. Mayhaps
> it might even be easier to create your own language that users can
> use, and translate that into JS?

Yes, there are a couple javascript parsers out there:

  RKelly (It's pure ruby):
    http://github.com/tenderlove/rkelly

  And Johnson (uses Spidermonkey's parse tree):
    http://github.com/jbarnette/johnson

Both support AST manipulation as well as turning the AST back in to
javascript.  Either of them should be easy enough to work with, but
properly sanitizing javascript sounds hard!

-- 
Aaron Patterson
http://tenderlovemaking.com/