Call local PowerShell Script from Browser/Javascript - javascript

I know this is security-wise an absolute No-Go. But I have a customer, who has an angular application running internally only. This means the workers of the customer don't have internet access in the browser in which they use the application, and it is running in a virtual machine.
So they don't really care about browser-security, since they only use the application on it.
Now they have following use case:
User clicks a button in the Angular app
A powershell script on the local machine gets executed
So my question is, is there a way to call a local Powershell script with using Angular/Javascript?
My current idea
I could start a local NodeJS server on the virtual machines (always when they are booting) running on localhost:8080 for example, which listens for Rest calls.
When the user hits the button, the Angular app will make a Rest-Call to localhost:8080, which is the client node-server and the node-server executes the Powershell-script.
I see that's possible with: Execute Powershell script from Node.js
So does this make sense?
Or is there a better way to accomplish something like this? (As I said if there's a possibility to turn off browser security it's ok.)

Other way to achieve this is by registering a custom protocol with your application. That is how lot of apps like slack, skype etc work. But, your initial solution seems more platform independent.

Related

I am trying to use a locally hosted Django webserver's HTML button to execute a python script that's on my local machine and I'm stumped

So, I'm pretty new to Django, python, and javascript.
I have a partially functional Django webserver that, while developing it, I host locally on my machine.
I've made a button with HTML which I've figured out can be tied to a javascript script. The next step for me was to make this button "execute" a python script that's sitting on my machine, particularly on the /desktop directory. I can of course move the script though, but the important part is that I want that python script (let's call it django_test_script.py) to open its own window on my machine. It's just a file that says "hi" in stdout, then closes after 5 seconds, but due to the plan for this whole project, I want that to happen. I want to have my website open on my machine, click that button, then have the script's console pop up on my desktop and run/finish.
The eventual goal is to control an LED strip that's plugged into my raspberry pi. I want colored buttons on the website that, when clicked, run appropriate python scripts that turn the lights to that color. It wouldn't take me long to write up the python scripts themselves that would change colors, but I need to bridge the gap between "button causes a py script to run" and the python script actually running.
I see a ton of questions similar to this, but they all seem to involve running the python scripts WITHIN the webserver, like internal files that do everything and then return something to the server via an HttpResponse.
I don't need an HttpResponse. Literally all I want to do for right now is figure out how to make a script that's stored on the machine run.
I've done some reading on AJAX and I'm guessing that's involved, however everything I've tried has failed with AJAX in terms of actually getting the server to RUN a script. I've been scouring the internet for over an hour now and have found basically nothing useful (as far as I can tell) so I figured I may as well ask for help. Can someone please point me in the right direction in terms of what I'll need to do?
I'm afraid that's not possible. The browser doesn't allow to execute local scripts since everything is (for security reasons) in a sandbox.
If you want to execute something you could do one of the following:
Use a http server which executes the script and call it via AJAX
You build it into an exectron / nodejs app which opens more possibilities to access the system. See this example
But from your requirement I assume the website will be opened on another device to remote control the Pi led? If you you'll need to use some sort of http server as otherwise you can't run the script on the pi itself.

Run browser toolbar button using jquery or javascript

I have added a chrome extension called "External Application Button".
What it does is we can add external application like sublime.exe, vscode.exe etc to our browser toolbar and on click , it opens the exe.
So using jquery or javascript is it possible to make that button click happen?
My main goal is to make that application run using jquery or javascript code in a webpage.
Both for an extension and a webpage it's impossible to do it on its own, without installing extra software. You are "sandboxed" in what you can do on a computer from your code, and limited to whatever APIs browsers provide.
To invoke an application external to the browser, an extension needs to use something called Native Host. This is why installing something extra is required to make that extension work.
Regular webpages can't use Native Hosts, so that route is closed.
Can we do it from webpage code, if we allow installing an extension?
Yes, an extension that talks to a webpage (through content scripts, or externally_connectable mechanism) can allow websites to trigger extension code, that triggers native host code, that does what you want.
You can't do that with arbitrary third party extensions, so you'll need to write your own.
Can you do it anyway, without an extension, if we allow installing an extra component?
In principle, yes. A typical way to do it is to install a helper program that opens a web server on a local port, e.g. localhost:12345. Then any JavaScript context can try connecting to it.
In practice, there are complications.
How do you secure your local server from arbitrary connections? You'd need some pre-shared secret to not allow other sites, or other software on the local machine, to abuse this.
Connecting to non-HTTPS domains from HTTPS websites is a problem. Making a certificate for localhost that's trusted by the browser is also a problem (that has security implications if circumvented). That complicates installation of the extra component.
Another idea: your extra component can register itself as a protocol handler. For example, you can add a launch-app: protocol and tell the system that your helper application needs to be invoked. Example: Steam uses this approach to communicate with its client from the browser (e.g. to install / start a game).
Note that this is one-way communication, but for the "launch a program" use case it's enough.
Then you can just provide links to that special protocol to do that. Again, this requires installation of an extra component in the target system. You can't do that with just the browser.
So the overall answer is: it's complicated, and needs extra software installation.

What's the simplest way to refresh a particular browser tab from a Go application?

I have a client-side Golang application running on my machine. I also have a browser open, and in that browser there might be a tab running my web application (which is completely separate from the Golang app).
From the Golang app, I would like to programmatically refresh the browser tab (and maybe if possible, bring it to front, but that's less important).
I researched quite a lot already, and I concluded this is not possible just by communicating to the browser, there is no standard (especially cross-platform and cross-browser) interface with which we can trigger the refresh of a specific tab of a browser.
So I suppose I'll need to have some custom JS code running on the website with which my Golang application can communicate and trigger the refresh of the tab.
What's the easiest way to do this?
(I was looking at livereload.js and lrserver, but these all start with the premise that there is a folder of content we'd like to watch and automatically reload on any change. But I don't want that, I just programmatically want to trigger the refresh. Also, this Golang app is not hosting the website, it's just a separate client-side application.)
As suggested by some comments, there seems to be no API through which we could connect to a browser from Golang, query the list of tabs, and refresh a particular page (at least not in a cross-browser and cross-platform way).
One possible approach to do this is to host a small WebSocket endpoint in Golang, and connect to it from the site we want to refresh. Then send a message through the WS connection every time we want to reload the site, and in JavaScript call location.reload() when we receive the message.
I described all the details in a blog post, and uploaded a complete working example to GitHub.

Lauching .bat or .exe client-side

I face an issue for a client who need to launch an application from a ASP.Net website client side. For the moment the solution is using ActiveX, but we all want to find an other way to do this action.
I read this links to find informations :
Is it possible to run an .exe or .bat file on 'onclick' in HTML
https://msdn.microsoft.com/en-us/library/aa767914%28v=vs.85%29.aspx
I know that for security issues, browsers don't allow the launch of client applications, but did someone find a hack to do something like that and have a sample to post ?
Have a good day
The technology exists for YEARS and it's called ClickOnce.
https://msdn.microsoft.com/en-us/library/142dbbz4%28v=vs.90%29.aspx
It requires the .NET Framework at the client side and a support from a browser (some browsers require a plugin to correctly handle ClickOnce apps).
Applications are deployed either in a form of a self-extracting installer (setup.exe) or a link to an XML document, the manifest, that describes location of other components (appname.application). In any case, a client just clicks a link, the app is downloaded and run locally, using local client permissions.
In particular, the app can read/write local files, use certificates from the local store, print documents using local printers, call other services ever if they are cross-domain etc.
And note that such ClickOnce application can run client local processes without any restrictions. We use this feature for years and it sounds like this is exactly your scenario.
Theoretically it could happen if a service was listening on some predefined port and the application simply sent a specific request to that port.
Other than that, I don't think it's possible to directly execute an application on the user's computer.

Can I open a Windows Explorer window from a web app?

I built a CRM for a client of mine, and now they've requested an interesting feature:
For each customer record, they have a matching directory of files on their local computer. They want the ability to open that folder in Windows Explorer directly from within the web app (the app doesn't need access to the directory/files; it just has to launch Windows Explorer so that the user can interact with their files).
This is obviously not possible with regular JavaScript running in the browser (thankfully). I thought there might be some way to accomplish this by building a Chrome extension for this purpose, but it seems Chrome extensions/apps can only access a sandboxed filesystem, which doesn't serve my needs at all. Building an NPAPI plugin in out of the question since Chrome is discontinuing support for NPAPI.
File URIs don't solve this problem either. Their display is ugly, there's no drag-and-drop, no big icons/thumbnails, no sorting etc. They want the full capability of the Windows Explorer.
The only viable option I thought of is to create a local node.js server, make a localhost CORS request to that server, and then run an exec command from node.
Any better idea?
One possibility is to register a custom URI protocol handler with the user's operating system, and then your web page can contain links using your custom protocol, such as openfolder://c/path/to/folder This sort of customization is probably most commonly seen in practice with itunes:// links.
A quick Google search led me to this decent looking tutorial: https://support.shotgunsoftware.com/hc/en-us/articles/200213756-How-to-launch-external-applications-using-custom-protocols-rock-instead-of-http-
The downside is that the user will have to run a small installer of some sort in order to set the correct registry entries (or whatever the non-Windows equivalent is for other OSes) and to drop a small script on disk. That would be much lighter-weight than running a node.js server like you proposed, though.
The linked tutorial uses a Python script, but even that is probably overkill for your needs. A batch file would likely suffice.
EDIT: One additional note, please be aware of the security implications of implementing a custom handler like this. Any webpage in any browser can potentially take advantage of your custom protocol, and an attacker would be able to pass arbitrary data to your script. You should take steps to ensure that the script will not accidentally execute arbitrary commands that may be injected by a malicious web page, and that it will only open a folder and nothing else.
That would require each customer to run a node.js server, which seems unrealistic in your case.
You could use File URIs.
Browsers will refuse to open them by default. However, as suggested in this answer, you could ask your customers to install LocalLinks.

Categories