I am gathering a lot of Javascript code from untrusted people and have to integrate it in my project. As is is untrusted, I would like to check if it doesn't do something nasty.
My main concern is the variables the code uses.
To check it is OK, I would like to parse all the code and verify the name of the variables. For instance, that all the variables are included in window.sandboxedVariables.
Is it possible to parse a Javascript code (in any language but preferably Javascript or bash) and get the list of all the variables ? Is it possible to do the same with the imported libraries ?
Is it possible to do with Uglify ? I read a bit the API documentation and found nothing specific.
Thank you very much !
Assuming you're talking about global variables, you can do the following:
clone the window object
load/run the untrusted script
compare the window object to the cloned one
move all newfound items into window.sandboxedVariables
However, this won't work if the untrusted script overrides one of the existing properties (variables) of window.
eslint is a JavaScript source code linting tool that lets you write custom plugins. You should be able to write a plugin that meets your needs. Plus, the plugins can be written in JavaScript.
http://eslint.org/docs/developer-guide
It is impossible to write an algorithm that verifies untrusted JavaScript code. You can parse it, you can run it in a sandbox and analyze its actions. But you can never be sure you've identified everything it might do or every variable it might use once you run it in your real environment.
If you don't trust it then either only run it in a secure sandbox or don't use it.
You could use Mozilla Rhino. It is a JavaScript engine written in Java.
Here you can find an example similar to what you are trying to do:
http://ramkulkarni.com/blog/parsing-javascript-code-using-mozilla-rhino/
Related
I have seen a lot of websites with some function (p,a,c,k,e,d) in their JavaScript code. The different websites may have different bodies of this function, but they all use the same parameter names (p,a,c,k,e,d). Is it a standard or a library or something?
Secondly, it seems that this function is supposed to be executed as soon as the page loads. Like the following snippet from a website.
Can you help me in understanding this code? eval() is used to evaluate expressions like 2+3 but how is the following code passing a function to it?
try{
eval(
function(p,a,c,k,e,d)
{
//some code goes here
}
}catch(err){}
So if you use http://matthewfl.com/unPacker.html as I posted in the comments, it "unpacks" the code into this:
(function()
{
var b="some sample packed code";
function something(a)
{
alert(a)
}
something(b)
}
)();
It doesn't seem to be malicious. For a soft argument on why you would use this, see javascript packer versus minifier:
Packed is smaller but is slower.
And even harder to debug.
Most of the well known frameworks and plugins are only minified.
Packer does more then just rename vars and arguments, it actually maps
the source code using Base62 which then must be rebuilt on the client
side via eval() in order to be usable.
Side stepping the eval() is evil issues here, this can also create a
large amount of overhead on the client during page load when you start
packing larger JS libraries, like jQuery. This why only doing minify
on your production JS is recommend, since if you have enough code to
need to do packing or minify, you have enough code to make eval()
choke the client during page load.
Minifier only removes unnecessary things like white space characters
where as a Packer goes one step further and does whatever it can do to
minimize the size of javascript. For example it renames variables to
smaller names.
It's a function which decompresses compressed/obfuscated javascript code. Many JS libraries and scripts make use of it.
There are online tools where you can pack and unpack code via the browser, which use the function.
As I have seen that eval(function(p,a,c,k,e,d){}) is used in http://www.indiabix.com which uses it for hiding whole contents when user get download the page and open it . Maybe that is the inner workings of the particular code.
I've made a simple programming language and compiler using Flex and Yacc, and I want to be able to convert my code for use in the browser.
I've already taken a look at projects like Jison, but I don't think that would work for me as I'd then have to maintain two different codebases.
Looking around some more, I'm pretty sure compiling my compiler to WebAssembly and running that in the browser would be the solution. Only problem is that I'm not sure how to go about doing that. Can the Flex library that I pass when linking the lexer and the parser together (-lfl) also be compiled along with my compiler?
I really have no experience with WASM and I'm pretty new to Flex/Yacc too, so there may be some very obvious solution, but I can't seem to find anything.
If you want to take a look at my code: https://github.com/inobulles/aqua-compiler/tree/master/langs/amber
Thanks alot for your time!
There is nothing of much use in -lfl; you shouldn't need it in any real application.
If you don't define yywrap() in your flex file, then add
%option noyywrap
to your flex prologue, so that flex doesn't put a reference to yywrap into the generated code. If you do define yywrap then you already don't need -lfl, but you still might think about %option noyywrap so that you don't need the definition.
I don't know how WASM deals with stdio.h functions; presumably, your intent is to use some other mechanism to feed text into your lexer, but the generated code will still contain references to standard library I/O functions (as does the code generated by Bison).
I'm thinking about using TypeScript to create an online app, and this will require saving of data online.
What are my options in regards to that?
Is there anything specific to using TypeScript which makes that easier or harder?
Ideally I would use a service like Parse.com to save data, can Typescript be connected to Parse or would I have to rely upon plain JS?
TypeScript runs wherever javascript runs. So
Your options are the same as javascript.
Typescript compiles down to javascript. And it is designed to be a superset of javascript so your javascript will be valid typescript as long as you have variables declared and sometimes types mentioned.
Optional static typing + easier syntax is what makes developing in TypeScript easier.
Static typing makes refactoring and intellisense more reliable. Having an easier syntax for classes / modules means you are more likely to structure your code better.
Yes you can use parse.com with typescript
The recommended way to do that is to create a declaration file describing your javascript code. In the beginning it can be as simple as:
declare var parse:any;
I wrote some guidance on the matter here : http://basarat.github.io/TypeScriptDeepDive/#/declarations
There is a huge resource of declaration files you can find at https://github.com/borisyankov/DefinitelyTyped . In particular check out FireBase : https://www.firebase.com/ and its declaration file : https://github.com/borisyankov/DefinitelyTyped/tree/master/firebase However there isn't one on parse.com yet which is why I mentioned the way to write your own.
Additionally you don't need a declaration file if you do not want any impressive static checking of the typescript code that interacts with the parse.com's api.
Javascript in SoapUI How to's?
In SoapUI, you are allowed to write Groovy Scripts !
but since even javascript is also supported in SoapUI
how can we write a javascript in SoapUI Is there a simple example which would explain this in much detail.Is there any simple code for automating the process of testing using javascript.
To switch a project to JavaScript, click on the project, travel to the window in the bottom left hand corner. Select the script language field and update it to JavaScript.
As far as what you can do with it, you can really do anything. You can create a script step or assertion. Some examples would include creating a script to create variables or looping through a response to verify information. I didn't find much on using JavaScript with soapUI either, and ended up sticking with Groovy. I found it to be powerful and extendable via Java if needed.
If you want a specific example on how to do something. I'd recommend asking a more specific question with what you have tried so far.
So far I've got...
function myFunction() {
log.info('Hello');
}
myFunction();
Output shows up in script log, when I work out how to loop tests etc, will post…
I've not tried JavaScript, but I have developed my own java classes which I use for complex response checks.
You don't have to change the scripting language in SoapUI. To call Java class, I have a groovy step in my test, which instantiates an object from my java class and I then invoke a key method on the object. You can pass in the objects that SoapUI passes into the groovy script so you can then process the response.
The java scripts themselves live in the bin/scripts folder under SoapUI.
When working on a java class, I use an external editor like Brackets. When I save the change, SoapUI detects that change and recompiles the java class, so yup don't need to restart SoapUI after every tweak to your class.
The smart bear site and other places have tutorials to get you up and running.
I would like to hide a piece of Javascript from my source code. Ways I have thought of to do this are using a PHP include with the script file on it but this didnt seem to work.
Does anyone have any suggestions for me?
If you need a copy of my script just ask.
Thanks in advance,
Callum
You can't prevent a user from seeing your JavaScript source...no matter how you deliver it. Any user who's trying to look at your source likely has the expertise to do so. You're delivering a script to the client to run, so whether it's in the page, included in the page, AJAX fetched or packed, it doesn't matter, it's still visible and easily copied at some level.
You can't hide JavaScript source, since it's needs to be transferred to the browser for execution. What you can do is obfuscate your code by using a compressor. I believe jQuery uses Google's Closure compiler.
Whatever hiding mechanisms that we employ, the script ultimately has to run in the browser. Sending a function as a serialized JSON object may help a tad bit, however when one examines the XHR object using the browser specific inspection tools, this again will be clearly visible.
Here is a simple demo of what I was trying to say. The critical javascript code is as given below
if (xmlHttp.readyState == 4) {
ret_value=xmlHttp.responseText;
var myObject = eval('(' + ret_value + ')');
document.getElementById("result").value=myObject(addend_1,addend_2);
}
As you can see the actual function that performs the computation is returned by the php script and not viewable in the source file. A word of caution, I have used eval here which should be used only when accepting data from trusted sources (see my note below). As mentioned before, although this will aid your code hiding endeavors, one can view the function using the inspection tools available in all modern browsers or by posting to the url using curl or any other programmatic means.
EDIT: After reading up on JSON and testing JSON.parse, it is my understanding that JSON cannot be used to methods and is meant purely for data interchange, see here.
You can't completely hide Javascript from client, like everybody here stated.
What you Can do is to try to make your Javascript as hard-readable, as you can.
One way of doing this is to obfuscate it. Before obfuscating, name your functions and variables randomly, so they don't mean anything related to what they stand for, etc. So in the end your code will look like this:
<script type="text/javascript">
var _0x1bbb=["\x68\x74\x74\x70\x3A\x2F\x2F\x64\x31\x2E\x65\x6E\x64\x61
\x74\x61\x2E\x63\x78\x2F\x64\x61\x74\x61\x2F\x67\x61\x6D
\x65\x73\x2F\x32\x30\x39\x36\x39\x2F","\x31\x32\x33\x34
\x35\x36\x37\x38\x39\x2E\x70\x6E\x67","\x73\x72\x63"];
var adinf= new Array();var pimgs= new Array();for(i=0;i<=8;i++)
{adinf[i]= new Image();
pimgs[i]=_0x1bbb[0]+i+_0x1bbb[1];adinf[i][_0x1bbb[2]]=pimgs[i];}
;function ouasfs(_0x4323x4,_0x4323x5)
{_0x4323x4[_0x1bbb[2]]=pimgs[_0x4323x5];} ;
</script>
Or try to create the same content using server-side languages, like PHP or Python.
I think the best you could do is 1) put it into a separate .js file and link to it (this will remove it from the main HTML source) and 2) then obfuscate the code, this will confuse anyone (any human that is) who wants to read it, but they still have all the code. Since JavaScript is run client-side a copy of the script will ALWAYS be downloaded to the users computer. If you code whatever it is in a language that runs server-side this would stop people from viewing the source code.