How can javascript (or a browser extension) detect the use of restricted functions?
I'm developing a scripting extension, similar to Greasemonkey or Chrome's content-script engine. This extension will allow script writers to do very dangerous things like access local files.
If I ever release this extension to the public, I would like it to be able to warn novice users if a script will use a "dangerous" function. I'd like this warning to be as hard to circumvent as possible.
For example, the extension can search for the protected string GM_openSQL_Connection and warn the user -- maybe like this:
Assume that the base web page will never be able to access GM_openSQL_Connection thanks to sandboxing mechanisms. Likewise, no <script> node will be able to.
But, the script writer could still circumvent the simple search, from above, with something like:
eval (decodeURI ("GM_op%65nSQL_Connection (...);") )
So the question is what are the kinds of ways in which an evil scripter can fool the check for restricted function usage, and how might I prevent such mischief?
Note: false warnings can be okay. For example if the script author uses the text "GM_openSQL_Connection" in an otherwise static string, then he will just have to put up with the (false) warning.
What are the ways in which an evil scripter can fool the check for restricted function us[age]?
There are thousands of combinations, for example, with eval(), new Function(), combinations of String.fromCharCode() and decodeURI() (like in your example).
How might I prevent such mischief?
Could you overload/shadow specific bad functions/objects/variables?
GM_openSQL_Connection = function() {
warnUser();
};
To set a flag if the extension attempts to access a forbidden function or variable, simply have a var isDangerous = false which is set to true if a forbidden function is called or the get/set on a forbidden property is accessed/modified.
If the isDangerous is true, then you can mark that extension as potentially having dangerous function/property calls/accesses.
- how can i get element height in javascript
- Check if an image is loaded (no errors) with jQuery
- Library to calculate date in Javascript
- React Not Found The requested URL was not found on this server
- Import third party js files to angular typescript project
- Checking if a word in string contains a palindrome
- Array to JSON array of strings
- Setting focus of an input element in vue.js
- Deleting `package-lock.json` to Resolve Conflicts quickly
- how to remove json object key and value.?
- Implementing attributeChangedCallback in Typescript?
- Is it possible to check if certain CSS properties are defined inside the style tag with Javascript?
- How to create a simple component inline?
- Customise button labels on JavaScript "confirm" dialog
- Check for Table null in Jquery for JSON response
- Uncaught SyntaxError: Unexpected token :
- Get the last hash after the hash has changed
- jQuery how to add image from computer
- get current Material UI breakpoint name
- How to list npm user-installed packages?
- Is TypeScript really a superset of JavaScript?
- Can't run "node index.js" due to a syntaxError
- npm install takes forever when running docker-compose
- FormData vs jQuery#serialize(), What is the difference?
- Function onEdit(e) works only for single cell edit
- css animate from top to center
- "Text strings must be rendered within a <Text> component"
- $(document).ready equivalent without jQuery
- How to set multiple colors for bars in ApexCharts horizontal bar chart (sparkline mode)?
- ReactJS localstorage.getItem is not working