Malicious code with limited character set?

[Paul E Collins]

Hello.

Some software I work on needs the ability to evaluate arithmetical
expressions at run-time. (Specifically, the user can enter a custom
formula to calculate the number of vehicles required to hold certain
sizes of container.) Since the C# libraries do not offer this, we are
calling into a separate .NET DLL, written in JScript, that merely
performs "eval" on a string and returns the result as a double.

Of course, "eval" can be used to execute arbitrary code. For example,
a formula of "for(;{}" would lock up the program in an infinite
loop. To avoid this, I am restricting the formula to a minimal set of
characters, specifically:

- The digits 0 to 9, the brackets ( ) and the decimal point.
- The arithmetic, bitwise and ternary operators + - * / % < > = ~ & |
^ ? :
- The letters a-z and A-Z (to permit usage of Math.Floor etc.).

Without semicolons or braces, I believe the user will not be able to
create an expression that does anything bad (such as an infinite loop
or attempts at file access). Can anyone prove me wrong?

Eq.

 

[Paul E Collins]

Without semicolons or braces, I believe the user will not be able to
create an expression that does anything bad (such as an infinite
loop or attempts at file access). Can anyone prove me wrong?

Curses. I've just found out that the semicolon isn't necessary, i.e.
this infinite loop will work in "eval" rather than raising a syntax
error: while(true)continue

I think I'll just have to ban upper- and lower-case letters altogether
unless they form part of a recognised Math library function.

Eq.

 

[shimmyshack]

Curses. I've just found out that the semicolon isn't necessary, i.e.
this infinite loop will work in "eval" rather than raising a syntax
error: while(true)continue

I think I'll just have to ban upper- and lower-case letters altogether
unless they form part of a recognised Math library function.

Eq.

can you set limits on the resources (CPU/time,mem) this dll will use,
and if the call throws an error... IMHO blacklisting will never work,
someone who wants to will find a way.
What model can you impose for the class of expression do you allow, if
you only allowed polynomials up to a certain degree, or allowed only
certain types of formatting of certain operators, I'm thinking of ^(a/
b) for roots, you could lock the thing down using regular expressions.
It would be up to the customer not to try to use
^(123^123456/-6^(-7)) because you only accept ^a/b where a and b are
integers, (^c where c is rational) up to a certain accuracy.
Am I being too simplistic or forcing your users to jump through too
many hoops, how advanced are they? - the more advanced the less
restrictions they would mind.

 

[Paul E Collins]

can you set limits on the resources (CPU/time,mem) this
dll will use, and if the call throws an error...

Evaluation errors aren't a problem, because JScript's exception can be
caught and handled in C#. Giving it only a set amount of time to run
before aborting is possible, but hopefully not necessary (see below);
it also wouldn't help if the code did some short-lived evil thing like
overwriting a file.

IMHO blacklisting will never work,

What I meant there - and what I've done for now - is to temporarily
remove the entire names of known acceptable functions such as
"Math.Floor" (the ones we offer in a dropdown list) and then check the
remainder for only containing digits and math operators. Writing
meaningful JS code without the use of letters should be impossible, so
I think it's safe enough now.

you could lock the thing down using regular expressions.

That seems like a good idea. I'll look into that one as well.

Eq.

 

[shimmyshack]

Evaluation errors aren't a problem, because JScript's exception can be
caught and handled in C#. Giving it only a set amount of time to run
before aborting is possible, but hopefully not necessary (see below);
it also wouldn't help if the code did some short-lived evil thing like
overwriting a file.



What I meant there - and what I've done for now - is to temporarily
remove the entire names of known acceptable functions such as
"Math.Floor" (the ones we offer in a dropdown list) and then check the
remainder for only containing digits and math operators. Writing
meaningful JS code without the use of letters should be impossible, so
I think it's safe enough now.


That seems like a good idea. I'll look into that one as well.

Eq.

yeah I was thinking - if you want free form equations to be executed
good luck! - but if you have a model for the type of equation they
will use, then you're laughing. I mean you are likely to get types of
expression, like a n degree polynomial, great, you're laughing, or it
must have a term in e^n where n is rational, great! Using the real
world problem and getting the likely expression will help you here. I
mean they are unlikely to need a tanh curve in there!!