I’m developing a scripting extension, similar to Greasemonkey or Chrome’s content-script engine. This extension will allow script writers to do very dangerous things like access local files.
If I ever release this extension to the public, I would like it to be able to warn novice users if a script will use a “dangerous” function. I’d like this warning to be as hard to circumvent as possible.
For example, the extension can search for the protected string GM_openSQL_Connection and warn the user — maybe like this:
Assume that the base web page will never be able to access GM_openSQL_Connection thanks to sandboxing mechanisms. Likewise, no <script> node will be able to.
But, the script writer could still circumvent the simple search, from above, with something like:
eval (decodeURI ("GM_op%65nSQL_Connection (...);") )
So the question is what are the kinds of ways in which an evil scripter can fool the check for restricted function usage, and how might I prevent such mischief?
Note: false warnings can be okay. For example if the script author uses the text “GM_openSQL_Connection” in an otherwise static string, then he will just have to put up with the (false) warning.
There are thousands of combinations, for example, with
eval(),new Function(), combinations ofString.fromCharCode()anddecodeURI()(like in your example).Could you overload/shadow specific bad functions/objects/variables?
To set a flag if the extension attempts to access a forbidden function or variable, simply have a
var isDangerous = falsewhich is set totrueif a forbidden function is called or theget/seton a forbidden property is accessed/modified.If the
isDangerousistrue, then you can mark that extension as potentially having dangerous function/property calls/accesses.